Supply Chain Risk Management (SCRM) Plan Template

Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mitigating risks in an organization's supply chain that could impact the security and integrity of an organization's products, services and operations. C-SCRM includes risks associated with the use of third-party vendors, software and other components that make up an organization's broader technology infrastructure. Effective C-SCRM involves identifying potential vulnerabilities and threats in the supply chain and implementing measures to reduce or eliminate those risks. This includes conducting risk assessments, implementing cybersecurity controls and regularly monitoring the supply chain for evolving threats and potential vulnerabilities. C-SCRM also involves working closely with suppliers and vendors to ensure that those External Service Providers (ESP) meet an organization's cybersecurity and privacy requirements to prevent the introduction of additional risks to the organization.

ComplianceForge compiled the information on this page to serve as a clearinghouse for SCRM-related material. The issue we are trying to solve is how to operationalize C-SCRM practices, so that organizations have actionable plans that can be implemented to both secure their internal processes and assess/mitigate risks within their supply chain. The goal is for organizations to be both secure and compliant with their C-SCRM obligations.

C-SCRM Has A Worldwide Scope That Is Populated With Known Bad Actors

According to the National Counterintelligence Strategy of the United States (years 2020-2022), the strategic objective for supply chain security is to: “Reduce threats to key U.S. supply chains to prevent foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. Government, the Defense Industrial Base, and the private sector." At the heart of C-SCRM are nation-state "bad actors" and the United States Trade Representative’s Special 301 Report Priority Watch List identifies 10 countries (including China and Russia) on its Priority Watch List, as well as an additional 23 countries on its Watch List. This list of countries sets the stage for identifying potential geography-based threats that can directly or indirectly impact the confidentiality, integrity, availability and safety of an organization's supply chain. Additional scrutiny is required for products and services (1) produced by entities located within those countries or (2) by organizations that have ownership or other Conflict of Interest (COI) concerns with governments listed on those watch lists. 

C-SCRM Authoritative Sources

There is a lot of invaluable information on the Internet about what C-SCRM is from authoritative sources, such as the US National Institute of Standards and Technology (NIST), the US Department of Homeland Security (DHS), the Cybersecurity & Infrastructure Security Agency (CISA), the US National Counterintelligence and Security Center (NCSC) and many others. It is important to understand that NIST is the authoritative source on C-SCRM-related matters and provides authoritative guidance on the subject for the US Government:

• Section 1323 of the Secure Technology Act tasked NIST with identifying and recommending development of "supply chain risk management standards, guidelines, and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks..."
• Section 201.301(d) of the Federal Acquisition Supply Chain Security Act (FASCSA) requires the Federal Acquisition Security Council (FASC) to consultation with NIST and participate in FASC activities as a member to advise the FASC on NIST standards and guidelines issued under 40 U.S.C. 11331, including ensuring that any recommended orders do not conflict with such standards and guidelines.

 NIST has several publications and sites that directly frame or support SCRM: 

• NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations
• NIST IR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
• NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM)
• NIST's guidance on Executive Order (EO) 14028

Keep in mind that the NIST publications are merely guidance and there is no formal implementation guidance for C-SCRM.

1. By applying a prioritized, phased approach towards ZT/C-SCRM-related activities, it is possible to avoid rework and cascading failures by addressing dependencies earlier in the process; and
2. Focusing resources and efforts on preventative controls, rather than detective controls.

Prevention, tied with automated, reactive technologies can minimize operational disruptions from either hostile or accidental incidents.

The Change Kill Chain breaks the concept of ZT/C-SCRM down into 24 major steps, which can then be translated into a project plan. This project was approached from the question of, “If a consultant was hired to build a ZT/C-SCRM program, what would the plan be to start from nothing to get a company to where it has operational ZT/C-SCRM capabilities?” While the Change Kill Chain maps controls from NIST SP 800-161 to the steps in the model, it is important to emphasize that the prioritization and “bucketing” of controls into phases is a subjective endeavor and not everyone may agree with this approach. If you choose to use the Change Kill Chain, you will invariably need to modify the approach to fit your organization's unique business practices and specific needs.

 

C-SCRM Implementation Plan

C-SCRM Program - Operational Leadership

For C-SCRM to be successful, operational leadership is essential. This “active participation” by a Chief Supply Chain Officer (CSCO), and his/her staff, ensures that processes are effectively carried out on a day-to-day basis. In many industries, the CSCO is often designated as the Chief Operations Officer (COO). Regardless of the official title, the CSCO is responsible for internal and external supply chain processes. This scope ranges beyond simple logistics and manufacturing activities to include:

• Innovation and development.
• Onboarding new technologies/services.
• Business operations (e.g., manufacturing, service delivery, etc.).
• Business Continuity & Disaster Recovery (BCDR).
• Third-party relationship onboarding and management (e.g., vendors, service providers, contractors, etc.).
• Decommissioning technologies, services and third-party relationships.

Efficient operational leadership requires the organization to structure roles that are complementary and not counterproductive. For the CSCO role to be successful in executing the organization’s SCRM program:

• The CSCO needs to report directly to the organization’s Chief Executive Officer (CEO) to eliminate conflicts of interests among leadership representing Lines of Business (LOB) within the organization.
• The CSCO must be able to influence cybersecurity and data protection controls by being part of the organization’s cybersecurity steering committee.
• Due to the reliance on risk management practices and the underlying cybersecurity and data protection controls that enable a SCRM program to function, the Chief Information Security Officer (CISO) should directly report to the CSCO.
• Due to the supply chain nature of DevSecOps, the Chief Technology Officer (CTO) role should directly report to the CSCO.
• Due to the external focus of the SCRM program, the Chief Contracting Officer (CCO) role should directly report to the CSCO to ensure contracts and procurement actions are in-line with the SCRM program.
• Due to how technology is so integral to business operations, the Chief Information Officer (CIO) role should directly report to the CSCO.
• The CISCO, CIO, CTO and CCO need to be viewed as peers, each with an equal role of importance in the SCRM program, where the CSCO provides operational leadership to orchestrate SCRM activities across the enterprise and its supply chain.

Hierarchical SCRM Management Structure [proposed organization chart]

C-SCRM Program - Secure Development Practices

C-SCRM is an enterprise-wide activity that is implemented throughout the System Development Life Cycle (SDLC). Within the concept of secure development practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

• Maintain close working relationships through frequent visits and communications.
• Mentor and coach suppliers on C-SCRM and actively help suppliers improve their cybersecurity and supply chain practices.
• Invest in common solutions.
• Require the use of the same standards within the acquirer organizations and by suppliers, thereby simplifying communications about cybersecurity risk and mitigations and helping to achieve a uniform level of quality throughout the ecosystem.

Resilience and improvement activities include:

• Rules and protocols for information sharing between acquirers and suppliers.
• Joint development, review and revision of incident response, business continuity and disaster recovery plans.
• Protocols for communicating vulnerabilities and incidents.
• Responsibilities for responding to cybersecurity incidents.
• Coordinated communication methods and protocols.
• Coordinated restoration and recovery procedures.
• Collaborative processes to review lessons learned.
• Updates of coordinated response and recovery plans based on lessons learned.

C-SCRM Program - Procurement Practices

C-SCRM lies at the intersection of cybersecurity and supply chain risk management. Existing supply chain and cybersecurity practices provide a foundation for building an effective Risk Management Program (RMP). Therefore, within the concept of procurement practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

• Increased executive leadership or Board of Directors (BoD) involvement for establishing C-SCRM as a top business priority and to ensure proper oversight.
• Clear governance of C-SCRM activities that includes cross-organizational roles and responsibilities with clear definitions and designation/distribution of these roles among enterprise risk management, supply chain, cybersecurity, product management and product security (if applicable) and other relevant functions appropriate for the organization’s business.
• Leading framework-based policies, standards and procedures that provide guidance to different business units detailing their C-SCRM activities.
• Same policies used internally and with suppliers.
• Integration of cybersecurity considerations into the system and product development life cycle.
• Use of cross-functional teams to address specific, enterprise-wide risks.
• Clear definition of roles of individuals responsible for cybersecurity aspects of supplier relationships (which may be different than those responsible for procurement activities with specific suppliers).
• Establishment of Centers of Excellence (CoE) to identify and manage best practices.
• A set of measures of success used to facilitate decision-making, accountability and improvement.
• Approved and banned supplier lists.
• Use of software and hardware component inventory (e.g., bill of materials) for third-party components.
• Prioritization of suppliers based on their criticality.
• Establishment of testing procedures for the most critical components.
• Establishment of a known set of security requirements or controls for all suppliers, especially robust security requirements for critical suppliers to be used in procurement (sometimes known as master specifications).
• Service-Level Agreements (SLA) with suppliers that state the requirements for adhering to the organization’s cybersecurity policy and any controls required of the supplier.
• Establishment of intellectual property rights agreements.
• Shared supplier questionnaires across like organizations, such as within the same critical infrastructure sector.
• Upstream propagation of acquirer’s security requirements within the supply chain to sub-tier suppliers.
• Assurance that suppliers have only the access they need in terms of data, capability, functionality and infrastructure; bounding this access by specific time frames during which suppliers need it.
• Use of escrow services for suppliers with a questionable or risky track record.
• Provision of organization-wide training for all relevant stakeholders within the organization, such as supply chain, legal, product development and procurement; this training may also be extended to key suppliers.
• Identification of alternative sources of critical components to ensure uninterrupted production and delivery of products.
• Secure requirements guiding disposal of hardware that contains regulated data (e.g., CUI, FCI, PII, CHD, PHI, etc.) or otherwise sensitive information (e.g., Intellectual Property (IP)).
• Protocols for securely terminating supplier relationships to ensure that all hardware containing acquirer’s data has been properly disposed of and that the risks of data leakage have been minimized.

C-SCRM Program - Risk Management Practices

C-SCRM needs to be implemented as part of an organization’s overall Enterprise Risk Management (ERM) activities (e.g., NIST SP 800-39 & NISTIR 8286). These risk management practices involve identifying and assessing applicable risks, determining appropriate response actions and developing a C-SCRM strategy. Within the concept of risk management practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

• Activities should involve identifying and assessing applicable risks, as well as determining appropriate response actions.
• Developing a C-SCRM strategy and implementation plan to document selected response actions and monitoring performance against that plan.
• Manage risks. Cyber supply chain risk is associated with a lack of visibility into, understanding of and control over many of the processes and decisions involved in the development and delivery of cyber products and services.
• Manage threats and vulnerabilities. Effectively managing cyber supply chain risks requires a comprehensive view of threats and vulnerabilities.
• Threats can be either “adversarial” (e.g., tampering, counterfeits) or “non-adversarial” (e.g., poor quality, natural disasters).
• Vulnerabilities may be “internal” (e.g., organizational procedures) or “external” (e.g., part of an organization’s supply chain).

C-SCRM Program - Systems, Applications & Services Management Principles

C-SCRM requires organizations to identify critical systems, applications and services, as well as sensitive data, that are most vulnerable and can cause the largest organizational impact if compromised. Within the concept of systems, applications & services management practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

• Developing Data Flow Diagrams (DFDs) that track where regulated data (e.g., CUI, FCI, PII, CHD, PHI, etc.) or “crown jewels” IP is stored, transmitted and processed.
• Identifying suppliers that process regulated data or “crown jewels” IP.
• Developing network diagrams that identify suppliers that have access to the acquirer’s system and network infrastructure.
• Threat modeling to determine whether a supplier can become an attack vector by being compromised and allowing threat actors access to the acquirer’s organization.
• For technology companies, whether a supplier can become an attack vector for the technology company’s products or services delivered to customers.
• Controlling the volume of data a supplier has access to or hosts.
• Monitoring the revenue contribution of suppliers (e.g., criticality).

Can You Honestly Answer How Vendor Cybersecurity Requirements Are Management At Your Organization?

When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as vendor management. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created several program-level documents to address this need and the Supply Chain Risk Management (SCRM) is one of those products.

Proactively Managing Third-Party Cybersecurity Risk 

ComplianceForge currently offers one (1) product that is specifically designed to assist companies with proactively managing risk associated with third-parties / vendors / suppliers:

• Supply Chain Risk Management (SCRM)

The Supply Chain Risk Management (SCRM) is focused on Third-Party Service Providers (TSP) and suppliers. Using vendors or service providers is a common practice - this may range from bookkeeping, to IT support, to janitorial services, to website hosting and even temporary staffing. What all of these outsourced services have in common is that they expose your company to certain levels of risk that could therefore affect your customers' sensitive data. This "soft underbelly" for companies is well known to hackers and identity thieves as a way to get into companies and steal valuable data.