Cyber supply chain risk management touches all aspects of a business. Supply chain risk management (SCRM) is not solely the responsibility of cybersecurity, but instead a partnership between sourcing, vendor management, cybersecurity, and transportation. The National Institute of Standards and Technology (NIST) released a set of best practices for cyber supply chain risk management in 2016. The best practices are vital for an organization and offer high-level advice on mitigating malware, performing risk assessments, securing information systems, and leveraging an information security program. Like all management programs, SCRM should be looked at as a lifecycle containing a clear set of security practices focused on the supply chain and supply chain management.

Cyber Supply Chain Principles and Supply Chain Risks

According to NIST, there are three primary principles regarding SCRM:

  1. Develop your organizational defenses with “assume breach” in mind.
    • Assume breach means that an organization approaches its cybersecurity posture by anticipating that all of its networks, systems, and applications are already compromised. Treating an internal network like it is as open as the internet readies the network for a variety of threats and compromises.
  2. Cybersecurity is a people, process, and technology problem.
    • People, process, and technology are the triad of solving problems, not just those in cybersecurity. Supply chain management also focuses on these three areas in order to enhance supply chain performance, make it more secure, and do more with less.
  3. Security is broad, and when one says security you must look at the entire landscape.
    • There are multiple security domains that interact with each other in a variety of cybersecurity frameworks and best practices. A few examples are the NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the International Organization for Standardization (ISO) series.

There are also several risks to the supply chain to consider:

  • Third-party service providers
  • Subpar information security practices by suppliers
  • Hardware and software with compromises
  • Security vulnerabilities in supplier systems
  • Malware embedded into counterfeit hardware
  • Third-party data storage with questionable security controls

The principles and risks apply to critical infrastructure, business processes, and intellectual property.

Best Practices

There are a variety of best practices that an organization should employ in its supply chain risk management program. Best practices are proven in the industry to bolster programs with a solid set of advice designed to help better understand what an organization should be doing by experience from its peers. The following best practices are not a comprehensive list, but some of the most utilized in successful programs:

  • Security requirements need to be defined in request for proposals (RFP).
  • Supply chain vendors need to be assessed by an organization’s security team and vulnerabilities must be remediated before sharing information, data, or goods/services.
  • In the event software or hardware is found to be counterfeit and if provided by a vendor, the vendor is immediately removed from consideration on future opportunities.
  • Engineers must follow Secure Software Development Programs and keep up to date on training.
  • Software updates need to be available to patch systems for vulnerabilities.
  • Source code needs to be included when software is purchased for analysis.
  • Secure boot is leveraged on endpoints to ensure authentication and authorization.
  • The organization dedicates personnel to supply chain cybersecurity activities.
  • Tight access controls to service vendors are implemented and enforced.
  • End of life hardware and software must include mitigating controls to address ongoing vulnerabilities.

Vendor and Supplier Due Diligence

NIST recommends a plethora of questions to ask suppliers, vendors, and third parties when it comes to SCRM. Most of the questions have to do with verifying that the vendor has a documented design process that is measurable and repeatable.  Vendors must have a vulnerability management program and notify its customers on how best to mitigate discovered vulnerabilities in its products and how to assure security throughout the lifecycle of its product. NIST recommends that questions also focus on the vendors’ cybersecurity framework and asks how configuration management is performed. Vendors and suppliers need to have a secure distribution process and tightly controlled distribution channels. Asking relevant questions will help assess the risk posture of vendors and suppliers for the ultimate benefit of a cyber supply chain risk management program.


Cyber supply chain risk management is important for the global supply chain. Holding vendors and service providers accountable by enforcing supply chain risk management practices is of paramount importance. Supply chain security needs to involve the entire business and all business units, not cybersecurity on its own. Information technology is important whenever information sharing happens between organizations because of cybersecurity risk. Cyber threats are very real, especially when it comes to third-party vendors. There are enough best practices available where organizations should have few struggles in identifying what needs to be done to protect the supply chain. In the end, SCRM is an integral part of an information technology program that addresses security in a holistic manner.