Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
Home
Blog
Supply Chain Risk Management

Supply Chain Risk Management

ComplianceForge Support
November 11, 2024
Supply Chain Risk Management

Cybersecurity Supply Chain Risk Management (C-SCRM)is the process of identifying, assessing and mitigating risks in anorganization's supply chain that could impact the security and integrity of anorganization's products, services and operations.

C-SCRM includes risks associated with the use of third-partyvendors, software and other components that make up an organization's broadertechnology infrastructure. Effective C-SCRM involves identifying potentialvulnerabilities and threats in the supply chain and implementing measures toreduce or eliminate those risks. This includes conducting risk assessments,implementing cybersecurity controls and regularly monitoring the supply chainfor evolving threats and potential vulnerabilities.

C-SCRM also involves working closely with suppliers andvendors to ensure that those Third-Party Service Providers (TSP) meet anorganization's cybersecurity and privacy requirements to prevent theintroduction of additional risks to the organization.

There is a lot of invaluableinformation on the Internet about what C-SCRM is from authoritative sources,such as the US National Institute of Standards and Technology (NIST), the USDepartment of Homeland Security (DHS), the Cybersecurity & InfrastructureSecurity Agency (CISA), the US National Counterintelligence and Security Center(NCSC) and many others. It is important to understand that NIST is theauthoritative source on C-SCRM-related matters and provides authoritativeguidance on the subject for the US Government:

  • Section 1323 of the Secure Technology Act taskedNIST with identifying and recommending development of "supply chain riskmanagement standards, guidelines, and practices for executive agencies to usewhen assessing and developing mitigation strategies to address supply chainrisks..."
  • Section 201.301(d) of the Federal AcquisitionSupply Chain Security Act (FASCSA) requires the Federal Acquisition SecurityCouncil (FASC) to consultation with FASC activities asa member to advise the FASC on NIST standards and guidelines issued under 40U.S.C. 11331, including ensuring that any recommended orders do not conflictwith such standards and guidelines.

NIST has several publications andsites that directly frame or support SCRM:

  • NIST SP 800-161, Supply Chain Risk ManagementPractices for Federal Information Systems and Organizations
  • NIST IR 8276, Key Practices in Cyber SupplyChain Risk Management: Observations from Industry
  • NIST IR 8286, Integrating Cybersecurity andEnterprise Risk Management (ERM)
  • NIST's guidance on Executive Order (EO) 14028

Keep in mind that the NISTpublications are merely guidance and there is no formal implementation guidancefor C-SCRM.

If you are interested in implementing an SCRMplan, we provide a product we call the C-SCRM Strategy & implementationPlan (C-SCRM SIP), and you can learn more about it from this link - www.complianceforge.com/product/nist-800-161-cscrm-strategy-implementation-plan.