How to Do Supply Chain Risk Management Right - According to NIST
As we all remember, the Target security breach affected millions of consumers, it received widespread publicity, and it cost the company millions of dollars to resolve. But what may be less known is that the hack was made possible through a vendor portal. A heating and cooling company doing business with Target was hacked, and thus the cyber criminal got through.
These days, supply chains can be complex, global and interconnected, with resources and processes on multiple levels of organizations. Part of business risk management involves controlling supply chain vendors. A supply chain may begin with products and services for design, development and manufacturing, and extend to processing, handling, and eventually delivery to the end user. Given these interconnected relationships and the potential for liability, supply chain risk management (Supply Chain Risk Management) should have a high priority in most if not all businesses.
Avoiding Unnecessary Cyber Risk
NIST’s Cybersecurity Framework version 1.0, first published in April 2014, offers organizations a flexible way to address cybersecurity by providing a common organizing structure for multiple approaches, as well as standards, guidelines and practices. While the rationale initially was to protect government agencies and U.S. infrastructure (energy, defense, finances, roads, etc.) from cyber attacks, the Framework has quickly lent itself to being adapted by other industries.
An updated NIST CSF draft, version 1.1, was released in December 2017, with a new emphasis on supply chain cybersecurity. It includes recommendations for managing vendors and carefully bringing them into a network without causing unnecessary risk to the business. In particular, Section 3.3 has been expanded to help organizations navigate supply chain risk management. It also provides a common language to communicate cybersecurity requirements among the interdependent stakeholders that are responsible for delivering products and services.
Defining Supply Chain Risk Management
The Framework document defines Cybersecurity Supply Chain Risk Management as “the set of activities necessary to manage cybersecurity risk associated with external parties.” More specifically, the cyber Supply Chain Risk Management considers both the effect of an organization’s cybersecurity on external parties and vice versa. As shown in the figure from the NIST Cybersecurity Framework document (https://doi.org/10.6028/NIST.CSWP.04162018), cyber SC Risk Management takes into account technology suppliers and buyers, as well as non-technology suppliers and buyers.
Thorough Cybersecurity Supply Chain Risk Management activities involve:
Determining supplier cybersecurity requirements
Implementing formal cybersecurity agreement (contracts) with suppliers
Communicating how cybersecurity will be verified and validated
Using assessments to verify cybersecurity requirements are met
Last year, the IT governance organization ISACA launched an audit program that aligns the NIST Cybersecurity Framework with COBIT 5. It is designed to provide management with an assessment of the effectiveness of an organization’s plans to detect and identify cyber threats, and protect against them by remediating on high risk areas.
Supply Chain Risk Management Additions to Framework Core and Tiers
NIST’s Framework version 1.1 added a supply chain risk management category to the Framework Core. One of the main parts of the framework, the Framework Core is a set of cybersecurity activities, outcomes and references that are common across sectors and critical infrastructure. The Framework Core focuses on using business drivers to guide cybersecurity activities and views cybersecurity risk as part of a risk management process. Further, the Framework Core shows activities designed to achieve certain cybersecurity results and includes examples.
Additional risk-management criteria were added to the framework Implementation Tiers. The Tiers provide a means for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help them prioritize and achieve their cybersecurity objectives.
Further details of NIST’s Supply Chain Risk Management guidelines can be found in NIST’s Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf. In addition, there are regulations for suppliers - for example DFARS 252.204-7012 / NIST SP 800-171 for the Department of Defense supply chain - that use key NIST controls to help suppliers prove adequate security.
Prioritizing Cybersecurity Decisions
The Framework can be used by organizations in any sector – no matter the size, maturity, or technical sophistication – to improve Supply Chain Risk Management. Utilizing the Framework, organizations can address cybersecurity as it affects the privacy of customers, employees and others. The Framework’s goal is to be flexible enough to be adopted voluntarily by both large and small companies and organizations across all industry sectors, as well as by federal, state and local governments. It has already been adopted, in some version, by many corporations and organizations in countries around the world, according to NIST, and its usage is expected to grow.
“We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Matt Barrett, program manager for the Cybersecurity Framework.
Cybersecurity is an important component of an organization’s overall risk management. As organizations continue to face unique risks, in the way of cyber threats and vulnerabilities, they also will vary in their risk tolerances and how they customize practices described in the Cybersecurity Framework. Organizations can use the Framework to help determine activities that are important to critical service delivery and can prioritize their investments to maximize the impact of the dollars they spend. The NIST CSF is trusted by 30% of U.S. organizations and climbing - and for good reason.
If you’d like assistance in learning more about how the Framework can assist your organization in addressing cyber Supply Chain Risk Management, get a Free Demo of the CyberStrong Platform - which instantly shows you how to adopt the newest NIST Framework updates and gives you never before seen visibility of risk and compliance across your supply chain.