Cybersecurity Supply Chain Risk Management C-SCRM

External References

***Disclaimer: Items in the following lists are provided for research purposes, and do not imply endorsement by NIST.***

• U.S. Government Activities / Initiatives
• Related Standards / Best Practices
• C-SCRM Research / References
• Involved Standards Organizations / Associations

U.S. Government Activities / Initiatives

• Committee on National Security Systems Directive (CNSSD) 505 - "...provides the guidance for organizations that own, operate, or maintain [National Security Systems (NSS)] to address supply chain risk and implement and sustain SCRM capabilities".
• Comprehensive National Cybersecurity Initiative (CNCI) Number 11– “This initiative will enhance Federal Government skills, policies, and processes to provide departments and agencies with a robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.”
• Defense Microelectronics Activity Trusted IC Supplier Accreditation Program – designated by the Department of Defense as the accrediting authority for trusted design, aggregator/broker, mask and wafer fabrication, packaging and test services across a broad technology range for specialized governmental applications both classified and unclassified.
• DoD Supply Chain Integration - “responsible for the orchestration, synchronization, and integration of global supply chain integration and its operational execution”
• Government-Industry Data Exchange Program (GIDEP) – “contains information on equipment, parts, and assemblies which are suspected to be counterfeit.”
• International Center for Enterprise Preparedness (InterCEP) Supply Chain Working Group – “Currently, the U.S. Department of Homeland Security is engaged in the process to fulfill its charge under the law to initiate the national voluntary certification program. InterCEP seeks to serve as a catalyst for business sector involvement and plans to work with other organizations to promote both awareness of the program and input into its development.”
• National Strategy for Global Supply Chain Security – Establishes “the United States Government’s policy to strengthen the global supply chain in order to protect the welfare and interests of the American people and secure our Nation’s economic prosperity”
• OMB Circular A-130 - "...designed to help drive the transformation of the Federal Government and the way it builds, buys, and delivers technology...".

Back to Top

Related Standards / Best Practices

• Logistics / Supplier Management
  • ARP9113 – Aerospace Supply Chain Risk Management Guidelines
  • AS9120 – Aerospace Requirements for Stockist Distributors
  • ASIS International - Supply Chain Risk Management: A Compilation of Best Practices – “Provides a framework for collecting, developing, understanding, and implementing current best practices for supply chain risk management (SCRM).”
  • ISO/IEC 27036 – Information Technology – Security Techniques – Information Security for Supplier Relationships (Four Parts)
  • PAS 7000:2014 – Supply Chain Risk Management – Supplier Prequalification
• Integrity / Quality / Asset Management
  • ANSI/EIA 4899 - Standard for Preparing an Electronic Components Management Plan
  • ARP9134A – Aerospace Supply Chain Risk Management Guideline focusing “on Quality as a key risk assessment factor”
  • IEEE 828-2012 – IEEE Standard for Configuration Management in Systems and Software Engineering
  • ISO 13485:2003 – Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes
  • ISO 9000 – Quality Management
  • ISO/IEC 15408-1:2009 – Information Technology – Security Techniques – Evaluation Criteria for IT Security (3 parts)
  • SAFECode Framework for Software Supply Chain Integrity
  • SAFECode Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain
• Counterfeit Products
  • ANSI Best Practices in the Fight Against Global Counterfeiting (2011)
  • IDEA/STD 1010-B – Acceptability of Electronic Components Distributed in the Open Market
  • Open Trusted Technology Provider™ Standard (O-TTPS) - Mitigating Maliciously Tainted and Counterfeit Products - “an open standard containing a set of organizational guidelines, requirements, and recommendations for integrators, providers, and component suppliers to enhance the security of the global supply chain and the integrity of Commercial Off The Shelf (COTS) Information and Communication Technology (ICT).”
  • SAE AS5553 – Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition
  • SAE AS6462A – Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition Verification Criteria
• Systems Engineering / Software Development
  • ISO/IEC 15026 – Systems and Software Engineering – Systems and Software Assurance (Four Parts)
  • ISO/IEC TR 24772:2013 – Information Technology – Programming Languages – Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and use
  • MITRE Systems Engineering Guide – “Developed by systems engineers for systems engineers… The text is written as if the author is speaking directly to a MITRE technical staff member”
  • NDIA Engineering for System Assurance (2008)
  • NEMA CPSP 1-2015 – “This document identifies a recommended set of supply chain best practices and guidelines that electrical equipment and medical imaging manufacturers can implement during product development to minimize the possibility that bugs, malware, viruses, or other exploits can be used to negatively impact product operation.”
  • SAFECode Fundamental Practices for Secure Software Development 2nd Edition
  • US- CERT Software Assurance (SwA) Pocket Guides
• IT Risk Management
  • ASTM E1578 –Standard for Laboratory Informatics
  • ISO/IEC 27001 – Information Technology – Security Techniques – Information Security Management Systems – Requirements

Back to Top

C-SCRM Research

For NIST / NIST-Sponsored Publications, please see https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management

• Bartol, Nadya (2015). Utilities Telecom Council Cyber Supply Chain Risk Management For Utilities – Roadmap for Implementation. Utilities Telecom Council. Washington, DC.  View
• Bloomberg (2011). Supply Chain Cybersecurity. Bloomberg View Cybersecurity Conference. New York, NY. View
• Charney, S., Werner, E. (2011). Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust. Microsoft Corporation.View
• Darrell M. West. (2013). Twelve Ways to Build Trust in the ICT Global Supply Chain. Issues in Technology Innovation. Center for Technology Innovation at Brookings. View
• Ellison, R., Goodenough, J., Weinstock, C., & Woody, C. (2010). Evaluating and Mitigating Software Supply Chain Security Risks. (CMU/SEI-2010-TN-016). Retrieved February 08, 2013, from the Software Engineering Institute, Carnegie Mellon University website: View
• Filsinger, J., Fast, B., Wolf, D.G., Anderson, M. (2012). Supply Chain Risk Management Awareness. Armed Forces Communication and Electronics Association Cyber Committee. View
• Gorman, C. (2012). Counterfeit Chips on the Rise. Spectrum, IEEE. 49 (6), 16-17. View
• IATAC. (2010). Risk Management for the Off-the-Shelf (OTS) Information Communications Technology (ICT) Supply Chain [For Official Use Only]. SOAR.
• Information Security Forum (2012). Securing the Supply Chain: Preventing your suppliers’ vulnerabilities from becoming your own. View
• Institute for Defense Analyses (2011). Challenges in Cyberspace. IDA Research Notes. View
• Kimmins, J. (2011) Telecommunications Supply Chain Integrity: Mitigating the supply chain security risks in national public telecommunications infrastructures. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4.View
• Qiu, X. (2011) Architectural Solution Integration to contain ICT supply chain threats. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4. View
• Siegfried, M. (2012). Defending Cyberspace: Businesses search for ways to protect their computer networks and supply chains against relentless attacks by cybercriminals. Inside Supply Management. View
• Simpson, S. (2008). Fundamental Practices for Secure Software Development: A guide to the Most Effective Secure Development Practices in Use Today. SAFECode. View
• Simpson, S. (2009). The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain. SAFECode. View

Back to Top

Involved Standards / Associations

• National Defense Industrial Association (NDIA) Systems Engineering Division – Seeks “to promote the widespread use of systems engineering (SE) in the Department of Defense (DoD) acquisition process
• International Council on Systems Engineering (INCOSE) – “champions the art, science, discipline, and practice of systems engineering.”
• International Electronics Manufacturing Initiative – “iNEMI roadmaps the future technology requirements of the global electronics industry, identifies and prioritizes technology and infrastructure gaps, and helps eliminate those gaps through timely, high-impact deployment projects.”
  • iNEMI Supply Chain Support for Medical Products
  • iNEMI Rare Earth Metals Assessment and Supply Chain Actions
• Information Technology Industry Council (ITI) – “ITI navigates the relationships between policymakers, companies, and non-governmental organizations, providing creative solutions that advance the development and use of technology around the world.”
• International Electronics Manufacturing Initiative (iNEMI) – a not-for-profit, R&D consortium whose mission is to “forecast and accelerate improvements in the electronics manufacturing industry for a sustainable future.”
• Information Security Forum – “This project will focus on creating a methodology and supporting toolkit to help Members secure their supply chains end-to-end.”
• Internet Security Alliance – Seeks to provide “practical security measures necessary for the Design, Fabrication, Pre-assembly, Assembly, Distribution, and Maintenance Phases, along with reviewing the legal contractual conditions necessary for implementing the other security measures.”
• International Standards Organization (ISO) – “the world’s largest developer of voluntary International Standards… covering almost all aspects of technology and business.”
• IT Sector Coordinating Council – “the principal entity for coordinating with the government on a wide range of critical infrastructure protection activities and issues.”
• SAFECode – “SAFECode is dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. To this end, SAFECode unites subject matter experts with unparalleled experience in managing complex global processes for software development, integrity controls and supply chain security.”
• Semiconductor Industry Association (SIA) – “The SIA promotes policies and regulations that fuel innovation, propel business and drive international competition in order to maintain a thriving semiconductor industry in the United States.”
• Supply Chain Management Association – “the principal source of supply chain training, education and professional development in [Canada].”
• The Open Group Trusted Technology Forum
• The Trustworthy Software Initiative (TSI) – a United Kingdom “public good initiative supported and funded through the UK Government’s National Cyber Security Programme (NCSP) with a mission to ‘Make Software Better’.”
• American National Standards Institute (ANSI) – “The ANSI Federation’s primary goal is to enhance the global competitiveness of U.S. business and the American quality of life by promoting and facilitating voluntary consensus standards and ensuring their integrity.”
• Common Criteria - “the driving force for the widest available mutual recognition of secure IT products.”
• GS1 – “The GS1 System is an integrated system of global standards that provides for accurate identification and communication of information regarding products, assets, services and locations.”
• Independent Distributors of Electronics Association (IDEA) – “a non-profit trade association representing quality and ethically oriented independent distributors of electronic components.”
• US Resilience Project - examples of the kinds of capabilities and competencies that companies are creating to manage disasters and to identify their priorities for partnering with government.
• US-Cert “Build Security In” - Build Security In is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.
• SAE International - a global association of more than 128,000 engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries
• Utilities Telecom Council (UTC) – “the source and resource for information and communications technology (ICT) solutions, collaboration, and advocacy for utilities and other critical infrastructure industries.”

Back to Top

Last Updated: 10/2016