The supply chain has become top of mind for nearly every industry over the past 18 to 24 months, for everything from medicines to materials to minerals and much more. Cybersecurity is no exception, particularly the software supply chain, which is getting attention from efforts such as the Cybersecurity Executive Order (EO), work around a Software Bill of Materials (SBOM), and more.
This is deservedly so, as the world increasingly realizes its reliance on software and the need to secure it, regardless of where the software originates. That said, Cybersecurity Supply Chain Risk Management (C-SCRM) expands well beyond software and can include services and vendor relationships. In this article, we examine the broader supply chain ecosystem and how to begin addressing some of those risks.
Interdependencies and Risks of Third-Party Products
We find ourselves in a progressively complex technology and cybersecurity ecosystem. From external vendor services, third-party hardware and software products, and critical business partners and managed service providers, we have no shortage of interdependencies.
While these interdependencies often exist due to needing external entities to support critical business functions and activities, they may also introduce risk. We’ve seen several headlines of third parties and supply chain entities causing data breaches, such as Target’s incident due to an HVAC vendor. The reality is that no organization can do everything and we inevitably rely on services and products that we don’t natively create or provide.
Establishing Strong Practices
But what are the first steps to approaching C-SCRM? One of the best sources to use is NIST’s 800-161 Rev.1, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” This publication helps organizations understand where to start when identifying, assessing, and mitigating cybersecurity supply chain risks. It helps organizations create C-SCRM plans, policies, and understand how to perform C-SCRM assessments for things they leverage or introduce to their organizations. Enterprise supply chains and information systems are complex, including their customer software, the lifecycle of their systems, and external services which help support operations.
NIST recommends integrating C-SCRM into broader enterprise risk management activities. The creation of C-SCRM aims to acknowledge and manage risks, ensure resilient operations, and be able to adapt when situations or incidents do occur in the organization’s supply chain.
Your C-SCRM stakeholders should be inclusive—from executive leadership to operational folks such as architects, developers, and acquisition professionals. This requires broad-scale cultural changes and adaptations. The guidance recommends not only establishing foundational practices, such as a C-SCRM team, baseline security controls, and governance structure, but also sustaining and ultimately enhancing those practices to lead to a robust C-SCRM program. This enhancement can be driven by methods such as automation, quantitative measurement, and metrics to move towards predictive behaviors.
Complex but Crucial
Establishing a C-SCRM program is a complex and burdensome undertaking. However, it is increasingly critical as nearly every organization relies on digital technologies to deliver customer value and facilitate revenue creation and mission execution. These digital technologies entail complex interdependencies and organizational threats.
Without establishing and maturing a C-SCRM program, organizations are flying blind to these risks. Your C-SCRM capabilities generate sight lines into your broad IT ecosystem, including threats outside of your control, and gain assurance for the software and services you inherently depend on. Much like everything in cybersecurity, addressing SCRM requires a multifaceted approach consisting of people, processes and technology, with the first arguably the most important.
