Cyber supply chain risk management (C-SCRM) is the process of identifying, assessing, and mitigating cybersecurity risks associated with an organization’s supply chain. Supply chains comprise multiple attack vectors, ranging from procurement tools to suppliers, developers, and third-party services. The complexity of this attack surface warrants a risk management strategy focused on supply chain risks as an extension to an existing third-party risk management program.
A C-SCRM lifecycle commonly consists of four stages:
- Prospecting: The first stage of a C-SCRM program often involves vetting prospective vendors and suppliers to ensure superficial assessments indicate that security postures align with enterprise risk management standards. This process ensures all onboarded vendors and software supply chain entities meet the security requirements of a “safe” supply chain relationship, streamlining subsequent vendor risk management processes.
- Acquisition: This stage of a C-SCRM program focuses on evaluating the severity of security risks associated with onboarded supply chain relationships. It also evaluates the potential impact these security risks would have on the business if cybercriminals exploited them to carry out cyber threats, such as ransomware and other malware. The exposures often map from information and communication technology (ICT).
- Risk management: After onboarding, all third-party vendors and service providers are enrolled in a regular vendor risk assessment schedule to manage risks rising beyond tolerance levels. The frequency and severity of these risk assessments are commensurate with the potential impacts of supply chain threats and each entity’s level of access to sensitive information.
- Continuous monitoring: The ongoing monitoring of the efficacy of implemented security controls and mitigation of emerging supply chain cyber attack risks. Continuous monitoring could also involve tracking the resistance of supplier information systems and information technology to disruptions caused by supply chain threats.
For large organizations with a supply chain ecosystem of 50+ vendors and third-party services, C-SCRM should play an integral role in a Third-Party Risk Management program.
The difference: C-SCRM vs ICT SCRM
Information and communications technology supply chain risk management (ICT SCRM) focuses on managing security risks associated with ICT products in the supply chain, such as hardware, communication technology, and software. Cyber supply chain risk management (C-SCRM) has a broad risk management scope that includes all entities in an organization’s supply chain, not just ICT technology, making ICT CSRM a subset of cybersecurity supply chain risk management.
Some examples of supply chain threats addressed in an ICT SCRM include:
- Software vulnerabilities
- Instances of firmware tampering
- Security risks in IoT devices
- Counterfeit hardware components
- Insecure communication protocols facilitating cyber risk injection.
- Malicious code embedded in software updates
- Poor quality security measures during ICT development lifecycles
- Lack of security patches or outdated software
- Unauthorized access to sensitive data through compromised ICT systems
- Supply chain disruptions affecting the availability of ICT products and services
- Weak authentication mechanisms in network device
For more information on
Some examples of supply chain security risks addressed in a C-SCRM include:
- Third-party vendor data breaches
- Geopolitical risks affecting supplier availability
- Inadequate vendor cybersecurity practices or governance
- Regulatory non-compliance by suppliers
- Fourth-party (subcontractor) vulnerabilities in the supply chain
- Financial instability or insolvency of key suppliers
- Insider threats from supplier personnel
- Disruptions due to natural disasters impacting vendor operations
- Legal risks from poor contract management with vendors
- Concentration risks from over-reliance on a single supplier
The impact of cyber supply chain risk management on regulations
A growing number of regulations require organizations to implement cyber risk mitigation initiatives within their supply chain to reduce the risk of sensitive data access through a compromised supply chain relationship.
C-SCRM could support compliance with three popular information security regulations with a supply chain cyber risk mitigation component.
GDPR: The General Data Protection Regulation
The GDPR expects organizations (referred to as data controllers) to ensure that all external data processes adhere to strict, sensitive data protection principles. Since “data processes” could involve any external party, not just those within the vendor ecosystem, the GDPR's TPRM requirements impact an organization’s entire supply chain.
Learn how UpGuard protects technology companies from breaches >
HIPAA: The Health Insurance Portability and Accountability Act
HIPAA requires healthcare organizations to ensure that all vendors in their supply chain processing protected health information (PHI) implement data protection safeguards. This process involves vendors entering into Business Associate Agreements (BAAs) to ensure their critical systems have sufficient security controls to withstand breach attempts.
Learn how UpGuard protects healthcare entities from breaches >
PCI DSS: The Payment Card Industry Data Security Standard
As expected from a regulation protecting the most sensitive category of personal data, financial data, the PCI DSS enforces the highest degree of data breach protection. The most stringent degree of data breach protection extends security controls to the third-party attack surface, amongst the top three factors contributing to higher data breach costs.
Learn how UpGuard protects financial services from breaches >
3-step supply chain cybersecurity risk management plan
The following is a high-level C-SCRM framework that you can adapt to any External Attack Surface Management context.
Step 1: CISO engagement
Involve your chief information security officer (CISO) to outline the company’s strategic direction for supply chain risk management. Such a policy should include:
- A strategy for integrating a C-SCRM with an existing enterprise risk management framework.
- An outline of best practices for supply chain risk management, such as policies for vetting prospective supply chain relationships and defining an ideal ratio between on-premise and external services.
- A clear definition of roles and responsibilities for managing supply chain risks.
- A reporting protocol for keeping senior management and stakeholders informed of SCRM efforts.
The CISO's input is required to design an effective C-SCRM strategy, ensuring security practices align with business success metrics.
Step 2: Ensure your supply chain inventory is updated
With an external network of more than 50+ vendors alone, maintaining an up-to-date supply chain relationship inventory is almost impossible without the support of automation. A third-party risk management platform, such as UpGuard, could streamline a significant portion of this effort with automatic fourth-party vendor detection and the identification of internet-facing IT assets comprising your organization’s digital footprint.
Step 2: Accurately classify all external relationships
After completing your supplier inventory, each entity's criticality level will need to be determined. This will allow high-risk suppliers to be grouped in a separate tier, streamlining subsequent risk management processes.
Though the classification process could be conducted with risk assessments, to establish a scalable foundation for your SCRM, you should ideally complete it during the supplier onboarding phase with a platform aggregating security posture information for external partners, such as Trust Exchange by UpGuard.
Sign up to Trust Exchange for free >
A “high-risk” classification is a function of the following metrics:
- Data access: Supply chain relationships with access to sensitive data or critical infrastructure should be classified as “high risk” and enrolled into the most stringent level of ongoing monitoring processes - real-time security posture monitoring.
- Compliance requirements: Supply chain entities directly bound to specific regulations, such as HIPAA or PCI DSS, or those with the greatest potential impact on your compliance efforts should be prioritized in risk management efforts.
- Service criticality: Supplier relationships directly supporting critical infrastructure or the availability of essential business processes should be grouped within the most crucial tier of a risk management program. This will allow detected risks to undergo prompt remediation before they result in costly business disruptions.
The CrowdStrike incident highlighted how quickly essential services can be reinstated when risk management efforts focus on the most vulnerable components of their supply chain.
Still tracking the effects of the CrowdStrike incident? Download a list of impacted companies here.
Watch this video to learn how UpGuard helped its customers quickly recover from the CrowdStrike IT outage:
Step 3: Implement a cyber framework addressing SCRM
For your SCRM program to naturally extend from your existing enterprise risk management processes, the company’s cybersecurity framework must accommodate supply chain risks.
Thankfully, one of the most common cybersecurity frameworks by the National Institute of Standards and Technology, NIST CSF 2.0, includes a category dedicated to C-SCRM within its “Govern” function. Just following the activities subcategories in the Gov function guides you through the process of implementing a C-SCRM program:
- GC:SC-01: Outlines creating a C-SCRM strategy with objectives, policies, and processes.
- GV: SC-04: Identifies an organization’s suppliers and determines their criticality.
- GC:SC-02: Identifies the roles and responsibilities of a C-SCRM program
- GC:SC-05: Outlines the requirements of a C-SCRM.
NIST SP 800-53 (revision 5) and NIST SP 800-161 (revision 1) provide more detailed guidance for supply chain risk management, which is especially beneficial to government agencies and federal agencies.
Mandatory C-SCRM requirements
The incorporation of C-SCRM requirements in NIST standards results from legislative and regulatory developments in response to the SolarWinds supply chain attack. For your convenience, the primary actions specifically addressing supply chain risk management are summarized below:
- The Federal Acquisition Supply Chain Security Act of 2018 (FASCSA) Requires federal agencies to establish Cyber Supply Chain Risk Management (C-SCRM) programs and manage supply chain risks through assessment, mitigation, and information sharing. It also enhances coordination among federal agencies to address supply chain security threats.
- Section 889 of the National Defense Authorization Act (NDAA) for Fiscal Year 2019 Prohibits federal agencies from contracting with entities that use telecommunications or video surveillance equipment from specific Chinese companies, including Huawei, ZTE, and Hikvision.
- Executive Order 13873 of May 15, 2019: Prohibits transactions involving ICT products or services supplied by entities controlled by foreign adversaries that pose a risk to national security, critical infrastructure, or the digital economy of the United States.
- Committee on National Security Systems (CNSSD) No. 505 Supply Chain Risk Management (SCRM): Establishes responsibilities and minimum criteria for developing, deploying, and maintaining a Supply Chain Risk Management (SCRM) program for National Security Systems (NSS) and non-NSS that directly support them.
- Federal Information Security Modernization Act of 2014 (FISMA): FISMA requires federal agencies to report quarterly and annually on their Cyber Supply Chain Risk Management (C-SCRM) performance. Products, system components, and services provided by external suppliers must meet the agency's cybersecurity and supply chain standards.
Best practices for cyber supply chain risk management
The following best practices will streamline implementing a C-SCRM program and mitigate the risks of operational disruptions surfacing as your program matures.
1. Follow a holistic approach
Like all cyber risk management frameworks, the C-SCRM program will only be successful if it involves multiple departments, people, and processes. A cross-organization approach ensures that department policies align with C-SCRM objectives and that the program's objectives are clearly communicated across the business.
Involving multiple departments helps you develop a plan accommodating each department's unique cyber risk management challenges (supporting step 1 in the framework above). It also lets you document and track all the supplier relationships each department is engaged in (supporting step 2 in the framework above).
2. Perform regular risk assessments
Ongoing risk assessments are the backbone of a successful C-SCRM program. These assessments should evaluate each supplier’s security posture and level of alignment with applicable regulatory standards.
A tool such as UpGuard offers a scalable approach to managing risk assessment for an extensive network of suppliers.
Watch this video for an overview of UpGuard’s risk assessment workflow:
3. CISO Engagement
The CISO should actively participate in C-SCRM efforts for each supplier relationship lifecycle. At the start of each new high-risk supplier relationship, CISO input is required to design bespoke risk treatment plans harmonizing the company’s third-party risk appetite and the organization’s strategic objections. Beyond onboarding, CISOs should have access to reporting and dashboards tracking the security postures of all high-risk supplier relationships to support a proactive approach to Cyber Supply Chain Risk Management.
The CISO is responsible for championing a security culture that prioritizes supply chain risks in the organization.
Key elements of a cyber supply chain risk management policy
The following anatomy of a C-SCRM policy addresses all of the essential components of an effective risk management program.
Policy essentials
A C-SCRM policy should address the following key elements as a minimum:
- Regulatory compliance: An expectation for all suppliers to align with the standards of applicable cybersecurity laws and regulations, such as the GDPR, HIPAA, or PCI DSS
- Supplier categorization: The categorization (or tiering) of suppliers based on their level of access to sensitive data and level of dependence on the availability of critical services
- Incident response: Clear protocols for identifying, escalating, and addressing security incidents that arise from the supply chain
- Ongoing monitoring: A continuous monitoring process for tracking emerging supply chain risks
Regulatory and cyber framework alignment
This section of the C-SCRM policy outlines the standards the organization should align with to support its cyber supply chain risk management efforts, which could include:
- NIST CSF 2.0: An industry-agnostic standard addressing supply chain risk management with a governance function.
- NIST SP 800-161: A framework outlining detailed best practices for managing supply chain cyber risks impacting federal systems.
- ISO 27001: An information security management standard that also addresses supply chain risks.
- GDPR: A data protection standard extending to the risk management efforts of third-party services.
Third-party vetting process
A crucial aspect of any C-SCRM policy is the vetting process for third-party vendors, which should include the following:
- Complete due diligence during the onboarding process to assess a vendor’s cybersecurity standards, including their policies on data security, incident response, and regulatory compliance.
- Require vendors to provide additional security documents, such as security certifications, during the vetting process to broaden the context of their security posture.
- Establish clear contractual obligations for vendors to align with your C-SCRM obligations, such as prompt reporting of supply chain disruptions, whether from operational hiccups or cyberattacks.
C-SCRM Metrics and Reporting
You can use the following metrics to measure and track the effectiveness of your C-SCRM program:
- General performance metrics: Key Performance Indicators (KPIs) for high-level tracking of your C-SCRM program, such as the number of vendor assessments completed, incidents detected through continuous monitoring, and the impact of remediation efforts
- Supplier security ratings: Risk scores, commonly referred to as “Security Ratings,” quantify suppliers' security postures. They simplify the detection of emerging security risks while allowing for more focused oversight of high-risk vendors.
- Real-Time Reporting: Real-time reports to stakeholders highlighting vendor risk levels, regulatory compliance efforts, and the impact of risk mitigation efforts. A regular reporting workflow helps the leadership team consider the potential impact on the company’s C-SCRM metrics when making strategic business decisions.