C-SCRM Strategy & Implementation Plan

C-SCRM Strategy & Implementation Plan

Aug 08, 2022

ComplianceForge is pleased to announce the release of a new product: Cybersecurity Supply Chain Risk Management (C-SCRM) Strategy & Implementation Plan. This is based on the recently-released NIST SP 800-161 Rev 1 and is focused on operationalizing an organization's C-SCRM plan. This editable documentation can save hundreds of hours of research and writing time that allows an organization to hit the ground running on C-SCRM.

Product Page: https://complianceforge.com/product/nist-800-161-cscrm-strategy-implementation-plan 

Product highlights of the C-SCRM SIP include:

  • Country-based risk guidance to determine minimum management decision levels for conducting operations in or contracting with suppliers from countries that pose a legitimate C-SCRM threat.
  • The prioritized implementation plan contains mappings for NIST SP 800-161 R1 controls to each C-SCRM implementation phase.
  • Professionally-written, editable documentation template that leverages industry-recognized "best practices" for C-SCRM.
  • Cost-effective solution to quickly generate documentation for a C-SCRM strategy and implementation plan.
  • Example flow-down contract requirements for suppliers, vendors, subcontractors, etc. (DFARS/CMMC, ISO 27001, NIST CSF, NIST 800-53, FAR, PCI DSS, and EU GDPR/CCPA).

To properly manage supply chain-related threats, an organization must evaluate country-based threats posed by its supply chain. This review must cover the geographic concerns where your products, services and support originate from or transit through:

  • Transmit, process and/or store your company's or its clients’, data across the SISP's systems, applications and/or services;
  • Manufacture products or product components used in your company's operations and/or products; and/or
  • Provide services for your company's operations and/or products.

Within the C-SCRM SIP, that criteria for geographic-specific threat management is refined by guidance from:

  • Priority Watch List & Watch List
  • Corruption Perceptions Index
  • Notorious Markets List
  • Designated State Sponsors of Terrorism
  • EAR / ITAR restrictions
  • Potentially hostile data localization laws