ComplianceForge is pleased to announce the release of a new product: Cybersecurity Supply Chain Risk Management (C-SCRM) Strategy & Implementation Plan. This is based on the recently-released NIST SP 800-161 Rev 1 and is focused on operationalizing an organization's C-SCRM plan. This editable documentation can save hundreds of hours of research and writing time that allows an organization to hit the ground running on C-SCRM.
Product highlights of the C-SCRM SIP include:
- Country-based risk guidance to determine minimum management decision levels for conducting operations in or contracting with suppliers from countries that pose a legitimate C-SCRM threat.
- The prioritized implementation plan contains mappings for NIST SP 800-161 R1 controls to each C-SCRM implementation phase.
- Professionally-written, editable documentation template that leverages industry-recognized "best practices" for C-SCRM.
- Cost-effective solution to quickly generate documentation for a C-SCRM strategy and implementation plan.
- Example flow-down contract requirements for suppliers, vendors, subcontractors, etc. (DFARS/CMMC, ISO 27001, NIST CSF, NIST 800-53, FAR, PCI DSS, and EU GDPR/CCPA).
To properly manage supply chain-related threats, an organization must evaluate country-based threats posed by its supply chain. This review must cover the geographic concerns where your products, services and support originate from or transit through:
- Transmit, process and/or store your company's or its clients’, data across the SISP's systems, applications and/or services;
- Manufacture products or product components used in your company's operations and/or products; and/or
- Provide services for your company's operations and/or products.
Within the C-SCRM SIP, that criteria for geographic-specific threat management is refined by guidance from:
- Priority Watch List & Watch List
- Corruption Perceptions Index
- Notorious Markets List
- Designated State Sponsors of Terrorism
- EAR / ITAR restrictions
- Potentially hostile data localization laws