<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

The Target security breach affected millions of consumers, it received widespread publicity, and it cost the company millions of dollars to resolve. But what may be less known is that this supply chain attack was made possible through a vendor portal. A heating and cooling company doing business with Target was hacked, and thus the cybercriminal got through. 

Today cyber supply chains can be complex, global, and interconnected, with resources and processes on multiple levels of organizations. Part of business risk management involves controlling supply chain vendors and ensuring supply chain security. As enterprises become more interconnected, and outsourcing becomes commonplace for every aspect of the business, supply chain risk management (SCRM) becomes paramount to business success if not survival.

Avoiding Unnecessary Cyber Risk

The National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF) version 1.0, first published in April 2014, offers organizations a flexible way to address cybersecurity by providing a common organizing structure for multiple approaches, as well as standards, guidelines, and practices. Developed under an executive order by the Obama administration to protect government agencies and United States critical infrastructure (energy, defense, finances, roads, etc.) from cyber attacks, the CSF has quickly lent itself to being adopted by other industries, including the private sector. Supply chain attacks can rapidly scale up and threaten national security. 

An updated NIST CSF draft, version 1.1, was released in December 2017, with a new emphasis on cybersecurity supply chain risk management. This risk management program includes recommendations for managing vendors and carefully bringing them into a network without causing unnecessary risk to the business. In particular, Section 3.3 was expanded to help organizations navigate supply chain risk management. It also provides a common language to communicate cybersecurity requirements among the interdependent stakeholders that are responsible for delivering products and services.

Defining Supply Chain Risk Management

In Version 1.1, NIST Cybersecurity Framework supply chain risk management is defined as “the set of activities necessary to manage cybersecurity risk associated with external parties.” More specifically, cyber vendor risk management considers both the effect of an organization’s cybersecurity on external parties and vice versa. As shown in the figure from the NIST Cybersecurity Framework document, NIST vendor risk management practices take into account hardware and software technology suppliers and buyers, as well as non-technology suppliers and buyers.

Thorough Cybersecurity Supply Chain Risk Management activities involve:  

  • Determining supplier cybersecurity requirements
  • Implementing formal cybersecurity agreements (contracts) with suppliers
  • Communicating how cybersecurity will be verified and validated
  • Using assessments to verify cybersecurity requirements are met

In 2017, the information technology governance organization ISACA launched an audit program that aligns the NIST Cybersecurity Framework with COBIT 5. It outlines a specific approach including guidance to give managers insight into the effectiveness of an organization’s plans to detect and identify cyber threats and protect against them by remediating on high-risk areas.

Supply Chain Risk Management Additions to Framework Core and Tiers

Version 1.1 added a supply chain risk management category to the Framework Core. One of the main parts of the Framework, the Framework Core is a set of cybersecurity activities, outcomes, and references that are common across sectors and critical infrastructure. The Framework Core focuses on using business drivers to guide cybersecurity activities and views cybersecurity risk as part of a risk management process. Further, the Framework Core shows activities designed to achieve certain cybersecurity results and includes examples.

Additional risk-management criteria were added to the Framework Implementation Tiers. The Tiers provide a means for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help them prioritize and achieve their cybersecurity objectives. 

Further details of NIST’s Supply Chain Risk Management guidelines can be found in NIST’s SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations. In addition to NIST 800-161, there are regulations for suppliers - for example, DFARS 252.204-7012 / NIST SP 800-171 for the Department of Defense supply chain - that use key NIST controls to help suppliers prove adequate security.

Prioritizing Cybersecurity Decisions

The CSF can be used by organizations in any sector – no matter the size, maturity, or technical sophistication – to improve vendor risk management. Utilizing the Framework, organizations can address information security as it affects the privacy of customers, employees, and others. The Framework’s goal is to be flexible enough to be adopted voluntarily by both large and small companies and organizations across all industry sectors, as well as by federal, state, and local governments. It has already been adopted, in some versions, by many corporations and organizations in countries around the world, according to NIST, and its usage is expected to grow. 

“We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Matt Barrett, program manager for the Cybersecurity Framework.

In the digital age, cybersecurity is becoming (if not already is) a foundational pillar to an organization’s overall risk management. As organizations continue to face unique risks, in the form of varying cyber threats and vulnerabilities, they also will vary in their risk tolerances and how they customize practices described in the CSF. Organizations can use the Framework to help determine activities that are important to critical service delivery and can prioritize their investments to maximize the impact of the dollars they spend.

See how CyberStrong can empower your cybersecurity to implement the gold-standard NIST CSF as well as streamline your next supply chain risk assessment, schedule a demo today.

You may also like

Zero Trust Security – A Quick Guide
on January 24, 2022

Zero Trust is a security framework that requires authentication, authorization, and validation from all users, whether inside or outside the organization's network. This is ...

CyberStrong December Update
on January 20, 2022

December Product Update Crosswalks, graphics, and filters - Oh my! 🎵♪🎵 New crosswalks on frameworks and labels on graphics Helpful team filters and alerts on late status Clear ...

Kyndall Elliott
CEO's - Do You Know Where That ...
on January 3, 2022

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. Headlines are dominated by breaches and hearings of information ...

Jerry Layden
CyberSaint's Response to the Log4j ...
on December 23, 2021

Members of the CyberSaint Community, My name is Padraic O’Reilly, the Chief Product Officer of CyberSaint. In light of the impacts of the Log4j vulnerability on the greater ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on December 17, 2021

With high-profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front-row seat to the impact cybersecurity can have on an ...

Jerry Layden
The Guide To A CEOs First ...
on December 16, 2021

One of the most significant challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that ...

Jerry Layden