Cybersecurity Risk Analytics CRA

NIST is prototyping a survey tool and a knowledge resource to facilitate cybersecurity supply chain risk management. The tool provides insights for organizations to evaluate and manage their strategies and processes to minimize cybersecurity supply chain risks. It offers a series of questions for the participants to address in a trusted and anonymized environment and, based on the entered responses, provides the analysis and directs users to relevant guidance and standards for further research.

 

The survey tool is intended for organizations exploring processes to improve their supply chain risk management. Intended users of this tool are employees involved in supply chain management or organization risk management functions, including cyber practitioners who wish to analyze and assess cybersecurity risks in their organization’s supply chain.

The original version, the cyber supply chain assessment tool, was developed jointly with the University of Maryland College Park, R.H. Smith School of Business (UMD), as part of the research under NIST grant and GSA sponsorship. The tool is composed of a survey questionnaire developed with the knowledge gained from decade-long research involving a process of regional field studies with industry over a several-year period and statistical analysis of the effect on an organization's risk profile based on the extent of its adoption of practices as defined within the Cybersecurity Framework (CSF). 

The current iteration, the cyber supply chain survey tool, is cloud-based with a web interface for participants to enter the survey data anonymously and securely. The survey questions ask for information on a broad range of organization and cyber supply chain-related practices. The questions are grouped according to the NIST's five cybersecurity framework (CSF 1.1) functions (Identify, Protect, Detect, Respond, Recover). The answers to the questions are primarily simple yes/no or Likert scale selection. The tool provides a score by categories within each CSF function from the participants' entered data.  Appendix B of the user guide includes mapping to CSF 2.0 of the survey questionnaire.

The survey questionnaire requires data from multiple departments and teams at different levels of the organization.  Since the workflow is designed for a single-person entry for the organization, we highly recommend the survey questionnaire responses be collected as part of preparation before data entry into the survey.  The complete questionnaire is available in the User Guide or printed from the survey tool webpage.

The survey results provide a view into the organization's risk profile based on the extent to which it has adopted the practices referenced in the CSF and identify additional NIST resources to support the implementation of any potential gap areas and better manage any residual risk. Insights to improve the risk profile can be found by clicking the "show details" button associated with each subcategory and following the hyperlinks to additional information on related guidance and standards sections. The printed report of the survey result (in PDF) retains the active hyperlinks for participants to conduct further research at a future date. Please note that the application removes the survey data upon browser closure, so printing should be done before closing the browser.