Supply Chain Risk Management (SCRM) Plan Template

C-SCRM is the process of identifying, assessing and mitigating risks in an organization's supply chain that could impact the security and integrity of an organization's products, services and operations. C-SCRM includes risks associated with the use of third-party vendors, software and other components that make up an organization's broader technology infrastructure. Effective C-SCRM involves identifying potential vulnerabilities and threats in the supply chain and implementing measures to reduce or eliminate those risks. This includes conducting risk assessments, implementing cybersecurity controls and regularly monitoring the supply chain for evolving threats and potential vulnerabilities. C-SCRM also involves working closely with suppliers and vendors to ensure that those Third-Party Service Providers (TSP) meet an organization's cybersecurity and privacy requirements to prevent the introduction of additional risks to the organization.

ComplianceForge compiled the information on this page to serve as a clearinghouse for SCRM-related material. The issue we are trying to solve is how to operationalize C-SCRM practices, so that organizations have actionable plans that can be implemented to both secure their internal processes and assess/mitigate risks within their supply chain. The goal is for organizations to be both secure and compliant with their C-SCRM obligations.

C-SCRM Has A Worldwide Scope That Is Populated With Known Bad Actors

According to the National Counterintelligence Strategy of the United States (years 2020-2022), the strategic objective for supply chain security is to: “Reduce threats to key U.S. supply chains to prevent foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. Government, the Defense Industrial Base, and the private sector." At the heart of C-SCRM are nation-state "bad actors" and the United States Trade Representative’s Special 301 Report Priority Watch List identifies 10 countries (including China and Russia) on its Priority Watch List, as well as an additional 23 countries on its Watch List. This list of countries sets the stage for identifying potential geography-based threats that can directly or indirectly impact the confidentiality, integrity, availability and safety of an organization's supply chain. Additional scrutiny is required for products and services (1) produced by entities located within those countries or (2) by organizations that have ownership or other Conflict of Interest (COI) concerns with governments listed on those watch lists. 

c-scrm special 301 report priority watch list

Resilient vs Reactive Operational Mindset - Important Considerations For C-SCRM Planning

National Institute of Standards and Technology’s (NISTSP 800-160Developing Cyber Resilient Systems: A Systems Security Engineering Approach, is the authoritative source for "cyber resiliency" and secure engineering principles within the realm of cybersecurity and data protection. A common definition of resilience is “the capacity to quickly recover from difficulties.” Resilience is a measure of an organization’s elasticity – being able to spring back into a pre-determined operational state following an event. Organizations should strive to be resilient to IT and cybersecurity-related incidents both internally and across the supply chain. This concept requires automating Continuous Configuration Enforcement (CCE) across all application technology platforms.

NIST’s National Cybersecurity Center of Excellence (NCCoE) has produced several reference materials intended to support ransomware threat mitigation and all guidance starts with the assumption that devices are hardened - that is NIST's baseline starting assumption for organizations to protect against ransomware. Hardening systems and the automation of security validation is not a new concept where NIST SP 800-31, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, states that "Organizations should have vulnerability mitigation capabilities to help prevent malware incidents. Organizations should have documented policy, processes, and procedures to mitigate known vulnerabilities that malware might exploit. Because a vulnerability usually can be mitigated through one or more methods, organizations should use an appropriate combination of techniques, including security automation technologies with security configuration checklists and patch management, and additional host hardening measures so that effective techniques are readily available for various types of vulnerabilities."

Traditional incident response and recovery operations are not designed with resilience in mind. Recovery is absolutely possible and Service Level Agreement (SLAs) help establish acceptable data loss parameters, maximum outages, etc. However, this is more of a way to bracket risk management decisions and while is an efficient manner to justify budgets for Continuity of Operations (COOP)-related technologies and staffing, it is not sustainable. While reactive operations are often viewed as heroic endeavors that “saved the organization from doom,” it does not mean that reactive model is the best methodology or least expensive path to follow. Resiliency is.

Reactive-Focused Security Operations: Downstream of Events/Incidents

If you study the graphic below, there are a few key takeaways:

  • Effort is on the downstream or “right side” of an incident or event – it is reactive. Baselining and configuration management on the upstream or “left side” of the event is often compliance-focused and are not directly tied to response/recovery operations.
  • The traditional, reactive model has minimal focus on baselining and configuration management.
  • When an incident occurs, there are structured plans to respond that span from minutes to years in duration:

    • Incident Response Plan (IRP)
    • Disaster Recovery Plan (DRP)
    • Business Continuity Plan (BCP)
  • Expense is primarily associated with event detection, response, remediation and recovery operations.
reactive cybersecurity practices

Resiliency-Focused Security Operations: Upstream of Events/Incidents

If you study the graphic below, there are a few key takeaways:

  • Effort is on the upstream or “left side” of an incident or event is prevention-focused. A decrease in effort on the upstream side of an event, will likely result in a decreased operational impact on the downstream or “right side” of the event occurrence.
  • There is significant effort placed on baselining and automating configuration management operations.
  • When an incident occurs, the automated remediation actions minimize impact and the necessity to activate IRPs, DRPs and BCPs.
  • Expense is primarily associated with tightly-controlled configuration management practices.
resilient cybersecurity practices

C-SCRM Authoritative Sources

There is a lot of invaluable information on the Internet about what C-SCRM is from authoritative sources, such as the US National Institute of Standards and Technology (NIST), the US Department of Homeland Security (DHS), the Cybersecurity & Infrastructure Security Agency (CISA), the US National Counterintelligence and Security Center (NCSC) and many others. It is important to understand that NIST is the authoritative source on C-SCRM-related matters and provides authoritative guidance on the subject for the US Government:

 NIST has several publications and sites that directly frame or support SCRM: 

Keep in mind that the NIST publications are merely guidance and there is no formal implementation guidance for C-SCRM.

Applying The Kill Chain Model To C-SCRM

The concept of a "kill chain" adopts the premise that it is easier to stop and prevent further damage if insecure practices or malicious activities are discovered earlier, rather than later. The intention of using the Change Kill Chain is:
  1. By applying a prioritized, phased approach towards ZT/C-SCRM-related activities, it is possible to avoid rework and cascading failures by addressing dependencies earlier in the process; and
  2. Focusing resources and efforts on preventative controls, rather than detective controls.

Prevention, tied with automated, reactive technologies can minimize operational disruptions from either hostile or accidental incidents.

The Change Kill Chain breaks the concept of ZT/C-SCRM down into 24 major steps, which can then be translated into a project plan. This project was approached from the question of, “If a consultant was hired to build a ZT/C-SCRM program, what would the plan be to start from nothing to get a company to where it has operational ZT/C-SCRM capabilities?” While the Change Kill Chain maps controls from NIST SP 800-161 to the steps in the model, it is important to emphasize that the prioritization and “bucketing” of controls into phases is a subjective endeavor and not everyone may agree with this approach. If you choose to use the Change Kill Chain, you will invariably need to modify the approach to fit your organization's unique business practices and specific needs.

C-SCRM change kill chain

[click on image to download PDF]

nist 800-161 c-scrm prioritized implementation plan

C-SCRM Implementation Plan

C-SCRM Program - Operational Leadership

For C-SCRM to be successful, operational leadership is essential. This “active participation” by a Chief Supply Chain Officer (CSCO), and his/her staff, ensures that processes are effectively carried out on a day-to-day basis. In many industries, the CSCO is often designated as the Chief Operations Officer (COO). Regardless of the official title, the CSCO is responsible for internal and external supply chain processes. This scope ranges beyond simple logistics and manufacturing activities to include:

Efficient operational leadership requires the organization to structure roles that are complementary and not counterproductive. For the CSCO role to be successful in executing the organization’s SCRM program:

c-scrm org chart

Hierarchical SCRM Management Structure [proposed organization chart]

C-SCRM Program - Secure Development Practices

C-SCRM is an enterprise-wide activity that is implemented throughout the System Development Life Cycle (SDLC). Within the concept of secure development practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

Resilience and improvement activities include:

C-SCRM Program - Procurement Practices

C-SCRM lies at the intersection of cybersecurity and supply chain risk management. Existing supply chain and cybersecurity practices provide a foundation for building an effective Risk Management Program (RMP). Therefore, within the concept of procurement practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

C-SCRM Program - Risk Management Practices

C-SCRM needs to be implemented as part of an organization’s overall Enterprise Risk Management (ERM) activities (e.g., NIST SP 800-39 & NISTIR 8286). These risk management practices involve identifying and assessing applicable risks, determining appropriate response actions and developing a C-SCRM strategy. Within the concept of risk management practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

C-SCRM Program - Systems, Applications & Services Management Principles

C-SCRM requires organizations to identify critical systems, applications and services, as well as sensitive data, that are most vulnerable and can cause the largest organizational impact if compromised. Within the concept of systems, applications & services management practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

Can You Honestly Answer How Vendor Cybersecurity Requirements Are Management At Your Organization?

When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as vendor management. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created several program-level documents to address this need and the Supply Chain Risk Management (SCRM) is one of those products.


Proactively Managing Third-Party Cybersecurity Risk 

ComplianceForge currently offers one (1) product that is specifically designed to assist companies with proactively managing risk associated with third-parties / vendors / suppliers:

The Supply Chain Risk Management (SCRM) is focused on Third-Party Service Providers (TSP) and suppliers. Using vendors or service providers is a common practice - this may range from bookkeeping, to IT support, to janitorial services, to website hosting and even temporary staffing. What all of these outsourced services have in common is that they expose your company to certain levels of risk that could therefore affect your customers' sensitive data. This "soft underbelly" for companies is well known to hackers and identity thieves as a way to get into companies and steal valuable data.

Browse Our Products

  • Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP)

    C-SCRM Strategy & Implementation Plan (C-SCRM SIP)


      NIST SP 800-161 Rev 1 - Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP) Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the C-SCRM is...

    Choose Options

Learn More About Cybersecurity & Data Privacy