.png)
.png)
.png)
%201.png)
.png)
The Target security breach affected millions of consumers. The attack received widespread publicity, and it cost the company millions of dollars to resolve in its incident response. But what may be less well known is that a vendor portal enabled this supply chain attack. A heating and cooling company doing business with Target was hacked, allowing the cybercriminal to gain access. This incident was a significant data breach, resulting in both financial and reputational damage to Target.
Today, cyber supply chains can be complex, global, and interconnected, with resources and processes on multiple levels of organizations. The distributed and interconnected nature of modern supply chains increases cybersecurity risks throughout the entire lifecycle of ICT/OT products and services. Part of business risk management involves controlling global supply chain vendors and ensuring the integrity of supply chain security.
As enterprises become more interconnected, the interconnected nature of supply chains introduces additional risk and complexity, and outsourcing becomes commonplace for every aspect of the business. Supply chain risk management (SCRM) becomes paramount to business success, if not survival. Managing cybersecurity risk is a critical component of effective supply chain risk management, helping organizations address and mitigate threats arising from these complex interdependencies.
Avoiding Unnecessary Cyber Risk
The National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF) version 1.0, first published in April 2014, offers organizations a flexible way to address cybersecurity risk by providing a standard organizing structure for multiple approaches, as well as standards, guidelines, and practices. Developed under an Executive Order by the Obama administration to protect government agencies and the United States’ critical infrastructure (energy, defense, finances, roads, etc.) from cyber attacks, the CSF has quickly lent itself to being adopted by other industries, including the private sector. Supply chain attacks can rapidly scale up and threaten national security without due diligence.
An updated NIST CSF draft, version 1.1, was released in December 2017, with a new emphasis on cybersecurity supply chain risk management. NIST SP 800-161 provides detailed guidance for organizations on assessing, mitigating, and integrating supply chain risks within their cybersecurity practices, supporting a comprehensive approach to SCRM. This risk management program includes recommendations for managing vendors and carefully integrating them into the network, without creating unnecessary risk to the business. Developing comprehensive C-SCRM policies is essential for organizations to strategically address and manage supply chain risks as part of their cybersecurity strategy. In particular, Section 3.3 was expanded to help organizations navigate supply chain risk management. The release of NIST SP 800-161 further updates and strengthens supply chain risk management practices, aligning with recent government initiatives to enhance supply chain security and trustworthiness. It also provides a common language to communicate cybersecurity requirements among the interdependent stakeholders responsible for delivering products and services.
Defining Supply Chain Risk Management
In Version 1.1, the NIST Cybersecurity Framework defines supply chain risk management as “the set of activities necessary to manage cybersecurity risk associated with external parties.” More specifically, cyber vendor risk management considers both the effect of an organization’s cybersecurity on external parties and vice versa. As shown in the figure from the NIST CSF document, NIST vendor risk management practices take into account hardware and software technology suppliers and buyers, as well as non-technology suppliers and buyers. Risks such as malicious software, poor manufacturing practices, and unauthorized production can compromise product integrity, making secure development practices essential throughout the supply chain.
Thorough Cybersecurity Supply Chain Risk Management activities involve understanding and implementing top cybersecurity risk mitigation strategies:
-
Determining supplier cybersecurity requirements
-
Implementing formal cybersecurity agreements (contracts) with suppliers
-
Communicating how cybersecurity will be verified and validated
-
Using assessments to verify that cybersecurity requirements are met
Key practices for effective SCRM include clear policies, ongoing monitoring, and integrating risk management into the organization's system security processes. Identifying, assessing, and mitigating risks throughout the supply chain lifecycle is critical to protect against threats such as counterfeit insertion, tampering, and malware.
The supply chain ecosystem includes not only IT but also operational technology and service supply chains, both of which require robust system security measures to address vulnerabilities across the entire lifecycle.
In 2017, the information technology governance organization ISACA launched an audit program that aligns the NIST Cybersecurity Framework with COBIT 5. It outlines a C-SCRM-specific approach, including guidance to help managers assess the effectiveness of an organization’s plans to detect and identify cyber threats and protect against them by remediating high-risk areas. The system development life cycle plays a vital role in ensuring secure systems by establishing baseline configurations, security controls, and ongoing assessments. Effective management practices for systems are essential, and it is the organization's responsibility to implement and maintain these practices as part of a comprehensive risk management strategy. Understanding where an organization falls on the maturity scale is a key step in determining the right risk management approach.
Executive Order and Regulatory Requirements
Managing supply chain risk is not just a best practice—it’s a regulatory imperative shaped by executive orders and federal requirements. Executive Order 14028, for example, has renewed focus on the security of software supply chains, mandating stronger cybersecurity supply chain risk management (C-SCRM) practices across both public and private sectors. In response, the National Institute of Standards and Technology (NIST) has updated its guidance, with Special Publication 800-161 Revision 1 serving as a cornerstone for organizations seeking to identify, assess, and mitigate cyber supply chain risks.
Organizations working with federal agencies or handling sensitive data must navigate a complex landscape of laws and regulations, including the Federal Information Security Management Act (FISMA) and the Defense Federal Acquisition Regulation Supplement (DFARS). These regulations require robust supply chain risk management programs, including comprehensive risk assessments, proactive risk mitigation strategies, and ongoing monitoring to ensure supply chain security. The NIST C-SCRM program offers detailed guidance and practical tools to help organizations implement these risk management practices effectively.
A key aspect of effective SCRM is adopting a holistic approach that spans the entire life cycle of products and services—from initial design and development through deployment and ongoing maintenance. This means organizations must be vigilant in identifying potential vulnerabilities, assessing the likelihood and impact of supply chain risks, and applying control enhancements to mitigate those risks. The NIST framework provides structured guidance on essential practices, such as supply chain mapping, risk assessments, and targeted controls, to address unique risks within the supply chain.
Smaller organizations, despite limited resources, can still benefit from the flexibility and scalability of the NIST C-SCRM framework. By prioritizing supply chain risk management and adopting effective practices, even organizations with fewer resources can significantly reduce the likelihood and impact of cyber supply chain risks. This not only protects their own operations, but also helps maintain the integrity and trustworthiness of their products and services for customers and stakeholders.
In summary, executive orders and regulatory requirements are central to shaping how organizations approach supply chain risk management. Compliance is essential for ensuring the security and integrity of products and services, especially for those working with federal agencies or handling sensitive information. The NIST C-SCRM program provides a comprehensive, adaptable framework for managing supply chain risk, offering practical tools and guidance for organizations of all sizes. By embracing robust supply chain risk management practices, organizations can safeguard their operations, protect their stakeholders, and build lasting trust in an increasingly interconnected world.
Supply Chain Risk Management Additions to Framework Core and Tiers
Version 1.1 added a supply chain risk management category to the Framework Core. The Framework Core focuses on using business drivers to guide cybersecurity activities and views cybersecurity risk as part of a risk management process.
Further details of NIST’s Supply Chain Risk Management framework can be found in NIST’s Special Publication 800-161. As outlined in NIST SP 800-161, developing C-SCRM plans, including detailed policies, implementation procedures, and risk assessment processes, is essential for a comprehensive supply chain risk management strategy. In addition to NIST 800-161, there are regulations for suppliers - for example, DFARS 252.204-7012 / NIST SP 800-171 for the Department of Defense supply chain - that use key NIST security control families to help suppliers prove adequate security.
Prioritizing Cybersecurity Decisions
The CSF can be used by organizations in any sector – regardless of size, maturity, or technical sophistication – to improve vendor risk management. Utilizing the Framework, organizations can address information security issues that affect the privacy of customers, employees, and others. The Framework's goal is to be flexible enough to be adopted voluntarily by both large and small companies and organizations across all industry sectors, as well as by federal, state, and local governments. It has already been adopted, in some versions, by many corporations and organizations in countries around the world, according to NIST, and its usage is expected to grow.
“We're looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Matt Barrett, program manager for the Cybersecurity Framework.
In the digital age, cybersecurity is becoming (if it isn't already) a foundational pillar of an organization's risk management. As organizations continue to face unique risks, varying cyber threats and vulnerabilities, they will also differ in their risk tolerances and in how they customize the practices described in the CSF. Organizations can use the Framework to determine which activities are critical to service delivery and to prioritize their investments to maximize the impact of the dollars they spend.
See how CyberStrong can empower your cybersecurity to implement the gold-standard NIST CSF as well as streamline your following supply chain risk assessment. Schedule a demo today.
