Modern goods and services rely on a supply chain ecosystem, which are interconnected networks of manufacturers, software developers, and other service providers. This ecosystem offers cost savings, interoperability, rapid innovation, diversity of product functionality, and the freedom to choose between rival vendors. However, due to the many sources of components and software that often form an end product, supply chains carry inherent cybersecurity risks.
Organizations should be aware of the risks associated with goods and services which may include potentially harmful functionality, counterfeiting, or susceptibility to other vulnerabilities due to poor manufacturing and development procedures throughout the supply chain.
The National Institute of Standards and Technology (NIST) has revised its publication Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. The document, which can be found as Special Publication 800-161r1SP, revises guidance for recognizing, analyzing and responding to cybersecurity threats throughout the supply chain at all organizational levels. It helps NIST meet its obligations under the National Cyber Security Enhancement Executive Order of 2021, which addresses the increase in software security vulnerabilities throughout the supply chain.
Cybersecurity Supply Chain Risk Management (C-SCRM)
Since 2008, NIST has researched and cooperated with a large number and wide range of stakeholders to provide information resources that assist companies in their cybersecurity supply chain risk management (C-SCRM ). This initiative aims to help companies manage cybersecurity threats in their supply chains. Legally, federal agencies are required to use NIST’s C-SCRM and other cybersecurity standards and recommendations to secure non-national security information and communications infrastructure. The SECURE Technology Act and the FASC Rule gave NIST special authority to write C-SCRM recommendations.
In parts of the supply chain related to cybersecurity, potential risks include the introduction of counterfeits, illegal production, tampering, theft, insertion of harmful software and hardware, and poor manufacturing and manufacturing procedures. of development. The objective of supply chain management with respect to cybersecurity risks includes maintaining the integrity, security, quality and resilience of the entire chain and its assets. and services. C-SCRM examines the entire life cycle of a supply chain system, including design, development, distribution, deployment, acquisition, maintenance and destruction.
NIST Special Publication 800-161r1
This revised publication updates guidance on identifying, assessing and responding to cybersecurity risks across an organization’s supply chain. The publication provides essential principles that organizations should implement as they build their capacity to manage cybersecurity risks. It also warns organizations to consider vulnerabilities, not just in a finished product they might use, but also in each of its parts, which might have been manufactured elsewhere, and the path those parts took to arrive. to their final destination.
The new C-SCRM guideline covers a wide variety of stakeholder groups, including information security, privacy, systems development and implementation, acquisition, procurement, legal resources and human. C-SCRM includes activities from the beginning of a system’s development lifecycle to the end of the system’s life.
The target audience for the revised publication is buyers and end consumers of goods, software and services. The guideline helps organizations incorporate cybersecurity supply chain risk concerns and regulations into their procurement procedures and highlights the need to monitor risk. Since cybersecurity risks can develop at any stage of a product’s lifecycle or supply chain, the directive now takes into account possible vulnerabilities, such as sources of code at the inside a product or the merchants who offer it.
The supply chain is a weak point in international trade. This allows developers and technology providers to create and deliver new solutions, but it can leave businesses, their end products, and potentially customers vulnerable to cyberattacks.
Supply chain cybersecurity management is an ongoing necessity, and if your organization hasn’t started, there’s a comprehensive solution that can get you started right away. The C-SCRM publication now includes essential practices that companies can use to improve their ability to manage cybersecurity risks within and across their supply chains.
This encourages organizations to reconsider the vulnerabilities of an end product they plan to use, as well as the vulnerabilities of its components, which may have been produced elsewhere, and the path taken by those components to get there.
About the Author: Josephine Uba has written blog posts and guides on cybersecurity, cryptocurrencies, cyberlaws and cybercrime which has earned him recognition as a thought leader in these areas, especially under Nigerian jurisdiction. She won the Mondaq Thought Leadership Award in 2021 and recently won the Nigeria Overall Mondaq Thought Leadership Award in 2022 solely by writing on these topics.
Editor’s note: The opinions expressed in this article and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.