Information, communications, and operational technology (ICT/OT) users rely on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions. This ecosystem is composed of various entities with multiple tiers of outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices, all of which interact to design, manufacture, distribute, deploy, use, maintain, dispose of, and otherwise manage products and services.
The NIST Cyber Supply Chain Risk Management (C-SCRM) project helps organizations to manage the increasing risk of cyber supply chain compromise, whether intentional or unintentional. The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits also increase the risk of a compromise to the cyber supply chain, which may result in risks to the end user. Managing cyber supply chain risks require ensuring the integrity, security, quality and resilience of the supply chain and its products and services. Cyber supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain.
Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise a product or service at any stage.
NIST is responsible for developing reliable and practical standards, guidelines, tests, and metrics to help protect non-national security federal information and communications infrastructure. Private sector and other government organizations also rely heavily on these NIST-produced resources. That includes organizations developing or using information, communications, and operational technologies which depend upon complex, globally distributed and interconnected supply chains. These supply chains cover the entire life cycle from research and development, design, and manufacturing to acquisition, delivery, integration, operations and maintenance, and disposal.
Since 2008, NIST has conducted research and collaborated with a large number and variety of stakeholders to produce information resources which help organizations with their Cyber Supply Chain Risk Management – or C-SCRM. By statute, federal agencies must use NIST’s C-SCRM and other cybersecurity standards and guidelines to protect non-national security federal information and communications infrastructure. The SECURE Technology Act and FASC Interim Final Rule gave NIST specific authority to develop C-SCRM guidelines. NIST also is a member of the Federal Acquisition Security Council (FASC).
NIST has given several grants to conduct research in this area as well as to develop a web-based risk assessment and collaboration tool.
Managing cyber supply chain risk requires ensuring the integrity, security, quality, and resilience of the supply chain and its products and services. NIST focuses on:
Security and Privacy: controls assessment, cyber supply chain risk management, information sharing, malware, risk assessment, security controls, security measurement, security programs & operations, systems security engineering, vulnerability management
Technologies: cloud & virtualization, hardware, software & firmware
Applications: communications & wireless, cybersecurity framework
Laws and Regulations: Comprehensive National Cybersecurity Initiative, Cybersecurity Enhancement Act, Cybersecurity Strategy and Implementation Plan, Cyberspace Policy Review, Executive Order 13636, Federal Acquisition Regulation, Federal Information Security Modernization Act, Homeland Security Presidential Directive 12, OMB Circular A-130