NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

News & Events

{Oct. 2013} -- Note - the deadline to submit comments for the Draft SP 800-161 document has been extended (this link will go to the SCRM Publications page where link to the draft document & template is provided.).

{Aug. 2013} -- NIST announces that Draft Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, has been released for public comment - can be accessed either by the SCRM Publications page OR the CSRC Drafts page.

{Dec. 2012} -- NIST is pleased to announce a report by the University of Maryland’s Supply Chain Management Center: Proof of Concept for an Enterprise ICT SCRM Assessment Package

more news

Contact

General Inquires
scrm-nist@nist.gov

Jon Boyens
Project Lead
boyens@nist.gov
301-975-5549

Celia Paulsen
Technical Lead
celia.paulsen@nist.gov
301-975-5981

References

***NOTE: THIS LIST DOES NOT CONSTITUTE ENDORCEMENT, BUT IS ONLY INTENDED FOR RESEARCH PURPOSES***

INDEX

WEBSITES / INITIATIVES

Back to Top

ICT SCRM STANDARDS / BEST PRACTICES EFFORTS

Back to Top

RELATED STANDARDS / BEST PRACTICES EFFORTS

  • American National Standards Institute (ANSI) – “The ANSI Federation’s primary goal is to enhance the global competitiveness of U.S. business and the American quality of life by promoting and facilitating voluntary consensus standards and ensuring their integrity.”
  • Common Criteria - “the driving force for the widest available mutual recognition of secure IT products.”
  • GS1 – “The GS1 System is an integrated system of global standards that provides for accurate identification and communication of information regarding products, assets, services and locations.”
  • Independent Distributors of Electronics Association (IDEA) – “a non-profit trade association representing quality and ethically oriented independent distributors of electronic components.”
      • IDEA/STD 1010-B – Acceptability of Electronic Components Distributed in the Open Market
  • SAE International - a global association of more than 128,000 engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries
      • ARP9113 – Supply Chain Risk Management Guidelines
      • AS5553 – Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition
      • AS9120 – Aerospace Requirements for Stockist Distributors
  • US-Cert “Build Security In” - Build Security In is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.
  • US Resilience Project - examples of the kinds of capabilities and competencies that companies are creating to manage disasters and to identify their priorities for partnering with government.

Back to Top

RELEVANT NIST PUBLICATIONS / PRESENTATIONS

(Additional NIST publications can be found at http://csrc.nist.gov/publications/index.html)

  • ICT Supply Chain Risk Management Workshop, October 15-16 2012. Final agenda and links to presentations.
  • FIPS 199 – Standards for Security Categorization of Federal Information and Information Systems
  • NIST IR 6462 – Guidance for COTS Security Protection Profiles
  • NIST IR 7622 – Notional Supply Chain Risk Management Practices for Federal Information Systems
  • NIST SP 800-18 R1 – Guide for Developing Security Plans for Federal Information Systems
  • NIST SP 800-30 R1 – Guide for Conducting Risk Assessments
  • NIST SP 800-37 R1 – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  • NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View
  • NIST SP 800-53 R3 – Recommended Security Controls for Federal Information Systems and Organizations
  • NIST SP 800-53 R4 (Final Version) –Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST SP 800-60 Vol. 1 R1 – Guide for Mapping Types of Information and Information Systems to Security Categories
  • NIST SP 800-64 R2 – Security Considerations in the System Development Life Cycle
  • NIST SP 800-137 – Information Security Continuous Monitoring for Federal Information Systems and Organizations

Back to Top

NIST-SPONSORED RESEARCH

  • University of Maryland RH Smith School of Business (2011). Assessing SCRM Capabilities and Perspoectives of the IT Vendor Community: Toward a Cyber-Supply Chain Code of Practice. View
  • University of Maryland RH Smith School of Business (2011). The ICT SCRM Community Framework Development Project Final Report. View
  • Boyson, S., Corsi, T., Rossman, H., Mann, H., Richmond, J. (2012). Proof of Concept for an ICT SCRM Enterprise Assessment Package. University of Maryland RH Smith School of Business. View

Back to Top

SCRM OVERVIEWS / LITERATURE REVIEWS

  • Filsinger, J., Fast, B., Wolf, D.G., Payne, J.F.X., Anderson, M. (2012). Supply Chain Risk Management Awareness. Armed Forces Communication and Electronics Association Cyber Committee. View
  • Ganeshan, R., Harrison, T.P. (1995). An Introduction to Supply Chain Management. Penn State University. View
  • Giunipero, L., Hooker, R., Joseph-Matthews, S., Yoon, T., & Brudvig, S. (2008). A Decade of SCM Literature: Past, Present and Future Implications. Journal of Supply Chain Management, 44 (4), 66-86 DOI: 10.1111/j.1745-493X.2008.00073.x
  • Harrington, L.H., Boyson, S., Corsi, T. (2011). X-SCM: The New Science of X-treme Supply Chain Management. Routledge, New York, NY.
  • Hintsa, J., Gutierrez, X., Wieser, P., & Hameri, A. (2009). Supply Chain Security Management: an overview International Journal of Logistics Systems and Management, 5 (3/4), 344-355 DOI: 10.1504/IJLSM.2009.022501
  • Lynch, G.S. (2009). Single Point of Failure: The 10 Essential laws of Supply Chain Risk Management. John Wiley & Sons, Hoboken, NJ.
  • Vanany, Iwan, Zailani, Suhaiza, & Pujawan, Nyoman (2009). Supply chain risk management: literature review and future research International Journal of Information Systems and Supply Chain Management, 2 (1), 16-33 DOI: 10.4018/jisscm.2009010102
  • Wikipedia:
  • Zsidisin, G., Ritchie, B. (2009). Supply Chain Risk: A Handbook of Assessment, Management, and Performance (International Series in Operations Research and management Science). Springer. New York, NY, USA.

Back to Top

ICT SCRM RESEARCH / REFERENCES

  • Bloomberg (2011). Supply Chain Cybersecurity. Bloomberg View Cybersecurity Conference. New York, NY. View
  • Charney, S., Werner, E. (2011). Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust. Microsoft Corporation. View
  • Ellison, R., Goodenough, J., Weinstock, C., & Woody, C. (2010). Evaluating and Mitigating Software Supply Chain Security Risks (CMU/SEI-2010-TN-016). Retrieved February 08, 2013, from the Software Engineering Institute, Carnegie Mellon University website: View
  • Filsinger, J., Fast, B., Wolf, D.G., Anderson, M. (2012). Supply Chain Risk Management Awareness. Armed Forces Communication and Electronics Association Cyber Committee. View
  • Gorman, C. (2012). Counterfeit Chips on the Rise. Spectrum, IEEE. 49 (6), 16-17. View
  • IATAC. (2010). Risk Management for the Off-the-Shelf (OTS) Information Communications Technology (ICT) Supply Chain [For Official Use Only]. SOAR.
  • Institute for Defense Analyses (2011). Challenges in Cyberspace. IDA Research Notes. View
  • Information Security Forum (2012). Securing the Supply Chain: Preventing your suppliers’ vulnerabilities from becoming your own. View
  • Kimmins, J. (2011) Telecommunications Supply Chain Integrity: Mitigating the supply chain security risks in national public telecommunications infrastructures. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4. View
  • Qiu, X. (2011) Architectural Solution Integration to contain ICT supply chain threats. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4. View
  • Siegfried, M. (2012). Defending Cyberspace: Businesses search for ways to protect their computer networks and supply chains against relentless attacks by cybercriminals. Inside Supply Management. View
  • Simpson, S. (2008). Fundamental Practices for Secure Software Development: A guide to the Most Effective Secure Development Practices in Use Today. SAFECode. View
  • Simpson, S. (2009). The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain. SAFECode. View
  • Darrell M. West. (2013). Twelve Ways to Build Trust in the ICT Global Supply Chain. Issues in Technology Innovation. Center for Technology Innovation at Brookings. View

Back to Top

OTHER RELEVANT RESEARCH / STUDIES

  • Information Flow
      • Evelyne V., Kenneth K. B., Ann V., (2009) Supply chain information flow strategies: an empirical taxonomy, International Journal of Operations & Production Management, Vol. 29 Iss: 12, pp.1213 – 1241 DOI: 10.1108/01443570911005974
      • Bi H, Lin D. RFID-Enabled Discovery Of Supply Networks. IEEE Transactions On Engineering Management [serial online]. February 2009;56(1):129-141.
  • Threats / Vulnerabilities
      • Finch, P. (2004). Supply chain risk management Supply Chain Management: An International Journal, 9 (2), 183-196 DOI: 10.1108/13598540410527079
      • FM Global. (2006). The New Supply Chain Challenge: Risk Management in a Global Economy. View
      • Glickman, T.S., & White, S.C. (2006). Security, visibility and resilience: the keys to mitigating supply chain vulnerabilities International Journal of Logistics Systems and Management, 2 (2), 107-119 : 10.1504/IJLSM.2006.009554
      • Helen Peck, (2005) "Drivers of supply chain vulnerability: an integrated framework", International Journal of Physical Distribution & Logistics Management, Vol. 35 Iss: 4, pp.210 – 232. DOI: 10.1108/09600030510599904
      • Hendricks, K. & Singhal, V. (2003). The effect of supply chain glitches on shareholder wealthJournal of Operations Management, 21 (5), 501-522 DOI: 10.1016/j.jom.2003.02.003
      • Internet Security Threat Report. (2013). Symantec Corporation. Annual Report. View
      • M-Trends Reports. (n.d.). Mandiant. Annual Report. View
      • McAfee Threats Report: First Quarter 2013. (2013). McAfee Labs. Quarterly Report. View View parent website
      • Microsoft Security Intelligence Report (SIR). (n.d.). Microsoft Corporation. Bi-annual Report. View
      • Monroe, R. W., Teets, J.M., Martin, P. R., (2012). A Taxonomy for Categorizing Supply Chain Events: Strategies for Addressing Supply Chain Disruptions. Southeast Decision Sciences Institute. View
      • Norton Cybercrime Report 2012 (n.d.). Norton by Symantec. View
      • Palo Alto Networks (n.d.). The Modern Malware Review. Annual Report. View
      • Pecht, M., Tiku, S. (2006). Bogus: Electronic Manufacturing and Consumers Confront a Rising Tide of Counterfeit Electronics. Spectrum, IEEE. 43 (5), 37-46.
      • Wagner, S., Bode, C., & Koziol, P. (2009). Supplier default dependencies: Empirical evidence from the automotive industry European Journal of Operational Research, 199 (1), 150-161 DOI: 10.1016/j.ejor.2008.11.012
  • Risk Management
      • Aberdeen Group. (2008). Supply Chain Risk Mangement: Building a Resilient Global Supply Chain. Aberdeen Group. View
      • Adaptive systems: control versus emergence Journal of Operations Management, 19 (3), 351-366 DOI: 10.1016/S0272-6963(00)00068-1
      • Basu, et al. (2008) Supply Chain Risk Management: A Delicate Balancing Act. IBM Global Business Services White Paper. View
      • Boyson, S., Corsi, T., Rossman, H. (2009). Building a Cyber Supply Chain Assurance Reference Model. SAIC & R. H. Smith School of Business. View
      • Chopra, S., & Sodhi, M.S. (2004). Managing Risk to Avoid Supply-Chain Breakdown MIT Sloan Management Review, 46 (1), 53-61Resiliency. DOI: 10.1108/09600030410545427
      • Christopher, M. (2005). Managing risk in the supply chain. In Logistics and Supply Chain Management (3rd ed., pp. 231-258). Harlow: Prentice Hall.
      • Deloitte. (2013). The Ripple Effect: How manufacturing and retail executives view the growing challenge of supply chain risk. View
      • Khan, O., Zsidisin, G.A. (2011). Handbook for Supply Chain Risk Management: Case Studies, Effective Practices and Emerging Trends
      • Kiser, J., & Cantrell, G. (2006). Six Steps to Managing Risk. Supply Chain Management Review, 10(3), 12-17.
      • Pfohl, H., Köhler, H., & Thomas, D. (2010). State of the art in supply chain risk management research: empirical and conceptual findings and a roadmap for the implementation in practice. Logistics Research, 2 (1), 33-44 DOI: 10.1007/s12159-010-0023-8
      • Sodhi, M., Son, B., & Tang, C. (2011). Researchers’ Perspectives on Supply Chain Risk Management Production and Operations Management, 21(1), 1-13 DOI: 10.1111/J.1937-5956.2011.01251.X
      • Stecke, K., & Kumar, S. (2009). Sources of Supply Chain Disruptions, Factors That Breed Vulnerability, and Mitigating Strategies Journal of Marketing Channels, 16 (3), 193-226 DOI: 10.1080/10466690902932551
      • Tan, K. C. (2002), Supply Chain Management: Practices, Concerns, and Performance Issues. Journal of Supply Chain Management, 38: 42–53. DOI: 10.1111/j.1745-493X.2002.tb00119.x
      • World Economic Forum. (2012). Building Resilience in Supply Chains. View
      • Zacharia, Z., Sanders, N., & Nix, N. (2011). The Emerging Role of the Third-Party Logistics Provider (3PL) as an Orchestrator Journal of Business Logistics, 32 (1), 40-54 DOI: 10.1111/j.2158-1592.2011.01004.x
  • Resiliency / Continuity of Supply
      • Christopher, M., & Peck, H. (2004). Building the Resilient Supply Chain The International Journal of Logistics Management, 15 (2), 1-14 DOI: 10.1108/09574090410700275
      • Cox, A., Prager, F., & Rose, A. (2011). Transportation security and the role of resilience: A foundation for operational metrics Transport Policy, 18 (2), 307-317 DOI: 10.1016/j.tranpol.2010.09.004
      • Creating Resilient Supply Chains: A Practical Guide. Centre for Logistics and Supply Chain Management at the Cranfield School of Management View
      • Pettit, T J, Fiksel, J, & Croxton, K L (2010). Ensuring supply chain resilience: Development of a conceptual framework Journal of Business Logistics, 31 (1), 1-21 ProQuest document ID: 2020607081
      • World Economic Forum. (2013). Building Resilience in Supply Chains. View
  • Product Integrity / Quality
      • (ISC)2 Government Advisory Board Executive Writers Bureau, Special to GCN. (2009). The Recipe for ‘Baking in’ Security in Software Systems. GCN. View
      • Cadzow, S., Giannopoulos, G., Merle, A., Storch, T., Vishik, C., Gorniak, S., Ikonomou, D. (2012). Supply Chain Integrity – An Overview of the ICT Supply Chain Risks and Challenges, and Vision for the Way Forward. European Network and Information Security Agency. View
      • CapGemini (2011). World Quality Report. View
      • Evans, J.W., Evans, J.Y., Ryu, D. (2001). Product Integrity and Reliability in Design. Springer. Great Britain.
      • Granstrand, O., Bohlin, E., Oskarsson, C. and Sjöberg, N. (1992), External technology acquisition in large multi-technology corporations. R&D Management, 22: 111–134. DOI: 10.1111/j.1467-9310.1992.tb00801.x
      • Lee, H. L., & Whang, S. (2005). Higher supply chain security with lower cost: Lessons from total quality management. International Journal of production economics, 96(3), 289–300. View
      • Myers, G., Sandler, C., Iadgett, T. (2012). The Art of Software Testing. John Wiley & Sons, Inc., Hoboken, NJ, USA.
      • Patton, R. (2001). Software Testing (2nd Edition). Sams, Indianapolis, IN, USA.
      • Starch, T. (2011). Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity. Microsoft Corporation. Link

Back to Top

Tools

Back to Top