Cyber Supply Chain Risk Management C-SCRM

Interdependency Tool

The NIST Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool is a prototype with sample code designed to provide a basic measurement of the potential impact of a cyber supply chain event. The tool is not intended to measure the risk of an event, where risk is defined as a function of threat, vulnerability, likelihood, and impact. Research has found that most of the existing cybersecurity risk tools and research focused on threats, vulnerabilities, and likelihood, but that impact is frequently overlooked. Thus, by focusing on impact, this tool is intended to bridge that gap and provide an example of how users and tool developers may more completely measure an organization's cyber supply chain risk.

The tool is also intended to provide the user greater visibility over the supply chain and the relative importance of particular projects, products, and suppliers (hereafter “nodes”) compared to others. This can be determined by examining the metrics which contribute to a node’s importance such as amount of access a node has to the acquirer’s IT network, physical facilities and data. By understanding which nodes are the most important in their organization’s supply chain, the user can begin to understand the potential impact a disruption of that node may cause on business operations. The user could then prioritize the completion of risk mitigating actions to reduce the impact a disruption would cause to the organization’s supply chain and overall business.

Documentation for the tool can be found in Draft NIST Internal Report (IR) 8272, Impact Analysis Tool for Interdependent Cyber Supply Chain Risks.

Below are several installer packages for the tool:

 

Source Code:

The source code for this project along with additional information on installing the code is available on GitHub: https://github.com/usnistgov/supply-chain-interdependency-tool

This software was developed at the National Institute of Standards and Technology in whole or in part by employees of the Federal Government in the course of their official duties and is being made available as a public service. For portions not authored by NIST employees, NIST has been granted unlimited rights. Pursuant to title 17 United States Code Section 105, works of NIST employees are not subject to copyright protection in the United States. This software may be subject to foreign copyright. Permission in the United States and in foreign countries, to the extent that NIST may hold copyright, to use, copy, modify, create derivative works, and distribute this software and its documentation without fee is hereby granted on a non-exclusive basis, provided that this notice and disclaimer of warranty appears in all copies.

THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER.

Created May 24, 2016, Updated June 22, 2020