This month marks the second annual National Supply Chain Integrity Month, a campaign of the National Counterintelligence and Security Center to raise awareness of supply chain risk. I encourage you to visit the NCSC site to view the resources they provide.  Many are a single page, unlike the 100-200 page publications this community is used to.  Two of my favorites are

• Supply Chain Risk Management: Best Practices in One Page 2021
• NCSC Bakers’ Dozen – 13 Elements of an Effective SCRM Program

The Department of Energy also provides a number of valuable awareness tools and of course CISA Task Force has good information as well.

Security awareness events are intended to encourage organizations to reflect on their current strategies and business processes.  It is a time to evaluate the people, processes, and technologies supporting a particular function within the organization. A time to determine if the focus area is fulfilling its intended purpose.  And finally, to determine if modifications are needed to better support the organization’s interest. 

SCRM is an important topic that has been foot-stomped by the information security and cybersecurity community for two decades.  It is very similar to cybersecurity; it is a program, not a one-and-done task, checklist, or project.  Consider this when reviewing SCRM this month – does your company have an operational program or a stack of papers for the compliance auditor? 

Information and Communications Technology

Following recent well publicized attacks on information and communications technology (ICT), it’s appropriate we focus on ICT supply chain risk management (ICT SCRM).  

We have learned many lessons from cybersecurity that can be applied to ICT SCRM. As with cybersecurity, addressing ICT SCRM through compliance eyes will not protect your organization.  Instead of implementing a program, many organizations are limiting ICT SCRM efforts to vendor questionnaires, a practice that manages liabilities at best. Companies that are serious about ICT SCRM need to develop and resource a program as dynamic as the supplies, vendors, and technologies coming in and out of their organization.  Sure, vendor questionnaires can contribute to a program and may help satisfy compliance requirements, but a program is much more.

Building an ICT-SCRM Program

The National Institute of Standards and Technology (NIST) released guidance on ICT SCRM in April of 2015 in the form of NIST Special Publication (SP) 800-161, which is undergoing a comprehensive update for 2021. This publication identifies two important initial steps to be taken when developing an ICT SCRM program.  First and foremost, a rigorous effort must be undertaken to identify and document the current state of the organization’s supply chain.  That data must be collected, organized, and prioritized to drive internal organizational policy about supply chain risks.  This step, called Frame, lays the foundation on which risk decisions will be made.  Once an understanding of the organization’s supply chain has taken shape and policies have been established, an assessment establishes a baseline. 

Where the Frame step is critical to setting the boundaries, ontology, risk tolerance, and priorities, the Assess step applies that contextual information to specific supplies and suppliers.  An assessment helps uncover the fine-grained details of each supply chain, but should be organized so that data is relevant to a given chain of command. During the Assess step, each vendor, each part, and each secondary-through-nth-tier supplier is documented and measured against the organization’s SCRM policies.

The NIST SP 800-161 ICT SCRM process also includes two additional steps, respond and monitor.  These terms are familiar to cybersecurity teams.  Although there is an overlap between how these terms are used to describe cybersecurity and SCRM processes, there are contextual differences.  In ICT SCRM, we are not only responding to events and monitoring our own technologies; we are monitoring the technologies of the vendors and suppliers as well.

In addition to the information presented in SP 800-161, I recommend NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management.  This publication was released in February 2021.  It is 31 pages of industry observations of the NIST SP 800-161.  It also introduces the evolution of ICT SCRM into the new terminology of Cybersecurity Supply Chain Risk Management (C-SCRM).   A common theme, specifically helpful to the respond and monitor steps, is the need to have strong relationships with suppliers, especially critical suppliers with direct impact on the business or mission.

Managing an ICT SCRM/C-SCRM program requires a substantial amount of data of considerable depth and breadth. Capturing and managing this information using spreadsheets or documents is extremely cumbersome, but optimizing this data for visibility and insight is critical. 

Xacta for ICT SCRM

Xacta® SCRM provides a holistic approach for addressing ICT SCRM.  Taking into consideration the resources presented in this blog post, the Xacta SCRM templates enable an organization to evaluate an existing program based on the NIST SP 800-161 or establish a new program based on the same standard.  The application guides an organization through creating an SCRM Council and Program Plan while capturing process maturity and risk management. 

A key component of an SCRM program is vendor management.  Xacta SCRM makes the contextual association among vendors, supplies, and business objectives. The application facilitates vendor risk management by leveraging CISA SCRM threat definitions in addition to traditional vendor questionnaires.  The application enables the organization to capture the necessary data to illustrate vendor confidence and continuous monitoring.

If you would like to learn more about Xacta SCRM or to evaluate how it can support your ICT SCRM efforts, I hope you’ll visit our website, or reach out directly.