NIST Releases New Supply Chain Risk Guide

Here is another short read for you (sorry).

For those who read this blog on a regular basis, you know that we talk about supply chain risk a lot. Formally, the government calls it Cybersecurity Supply Chain Risk Management or C-SCRM.

Supply chain attacks are very popular because if you pull one off (think SolarWinds), you can infect millions of machines. SolarWinds was just one very visible one, but it seems like there is at least one every week, to varying degrees of severity.

This is another product to come out of NIST as a result of the Executive Order on Improving the Nation’s Cybersecurity (EO 14028).

At a short 300 plus pages, you are not going to consume this all at once, but starting now is a good idea. The problem is not going away any time soon.

One thing they have done is integrated C-SCRM into a broader enterprise-wide risk management conversation. Risk management includes cyber risk, but that is far from where it ends.

They also have a section on critical success factors. Definitely worth a read.

Finally, it has 10 appendices of nuts and bolts, including S-SCRM security controls, a framework, templates and resources.

You can find the document at NIST’s website, here.

If you want to have an in-depth conversation on C-SCRM, please let us know.

by