NIST Shares Key Practices in Cyber Supply Chain Risk Management Based on Observations from Industry

NIST Shares Key Practices in Cyber Supply Chain Risk Management Based on Observations from Industry

Credit: Shutterstock/Neliubov



A new publication from the National Institute of Standards and Technology (NIST) provides companies, government agencies, and other organizations with a set of practices that any organization can use to manage growing cybersecurity risks associated with their supply chains. NIST researched and compiled these practices knowing that organizations can no longer protect themselves by simply securing their own infrastructures; their “electronic perimeters” now are not meaningful and threat actors can and do intentionally target the suppliers of more cyber-mature organizations by taking advantage of the weakest links.


The report, Key Practices in Cyber Supply Chain Risk Management (C-SCRM): Observations from Industry (NISTIR 8276), can be used to establish or enhance a robust Cyber Supply Chain Risk Management (C-SCRM) function at an organization of any size, scope, or complexity. These practices combine the information contained in existing C-SCRM government and industry resources with insights gathered from 2015-2019 during a NIST research project studying industry best practices. The key practices also include 24 actionable recommendations that synthesize how these practices can be implemented from a people, process, and technology perspective.


The Key Practices are:


Integrate C-SCRM Across the Organization
Establish a Formal C-SCRM Program
Know and Manage Critical Suppliers
Understand the Organization’s Supply Chain
Closely Collaborate with Key Suppliers
Include Key Suppliers in Resilience and Improvement Activities
Assess and Monitor Throughout the Supplier Relationship
Plan for the Full Life Cycle

NIST conducts research and collaborates with a large number and variety of stakeholders to produce information resources which help organizations with their Cyber Supply Chain Risk Management – or C-SCRM.  By statute, federal agencies must use NIST’s C-SCRM and other cybersecurity standards and guidelines to protect non-national security federal information and communi ..