The longer a global supply chain grows, the less visibility and assurance corporations have into the integrity and security of their products and operations. Now NIST is trying to pierce that fog, and compliance officers in the private sector might want to take notice.
Earlier in April the National Institute of Standards and Technology issued its latest guidance, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations”—a 282-page missive on how to better manage the supply chain for technology products, to root out cyber-threats that might leave a piece of IT equipment compromised or simply malfunctioning. NIST’s guidance is intended for government agencies acquiring lots of IT and communication technology, but the principles behind it are just as useful elsewhere.
“Every organization relies upon technology, whether it’s in their manufacturing processes, their products, or services, or if it’s to enable their business activity,” says Jon Boyens, a senior adviser for information security at NIST and co-author of the guidance.
In today’s globalized world, the components of a laptop or a cellular phone, for example, are routinely manufactured in many different locations, while assembly of the final product may take place in yet another part of the world. Now imagine how much more complex that supply chain becomes for a much larger system, such as the avionics in a commercial airplane or a communications network for the military.
“Each access point into the technology, which ultimately is assembled into one product or service, creates risk,” Boyens says. Hackers might try to embed malicious software within those components, or poorly trained workers might just assemble a bad part. Either way, the threats to the supply chain are many, and the final result is the same: an untrustworthy product, that you might not even know exists.
“Cyber-supply chain risk management is still a fairly nascent discipline,” Boyens says. “I would say it’s where traditional supply chain risk management was about 15 years ago. It’s still developing.”
One part of the guidance describes three tiers of risk management to help organizations integrate ICT supply chain risk management (yes, there’s an acronym for that: ICT SCRM) effectively. They are:
“Cyber-supply chain risk management is still a fairly nascent discipline. I would say it’s where traditional supply chain risk management was about 15 years ago; it’s still developing.”
Jon Boyens, Senior Advisor for Information Security, NIST
Tier 1: Organization. In this tier, the company’s executive leadership team defines the company’s overall ICT SCRM strategy, policies, goals, and objectives. These activities “help to ensure that ICT SCRM mitigation strategies are cost-effective, efficient, and consistent with the strategic goals and objectives of the organization,” the guidance states. This tier is also responsible for establishing a risk tolerance level for ICT supply chain risks.
Senior leadership support is “non-negotiable,” says Jennifer Bisceglie, president and CEO of Interos Solutions, a consulting firm that works on supply chain risk management. It must be connected to the business objective, she says, or leadership will not support it.
At the organization tier, another step is to establish a team with roles and responsibilities for leading and supporting ICT SCRM activities. “We advocate a team-based approach,” Boyens stresses. The specific functions that may be involved in managing ICT supply chain risks can include compliance, risk, legal, IT, supply chain and logistics, acquisition and procurement, and other relevant functions, he says.
Tier 2: Mission/business process. This tier is responsible for developing actionable policies and procedures, guidance, and constraints. In this tier, program requirements are defined and managed, and they might include cost, schedule, performance, and a variety of critical non-functional requirements—such as reliability, dependability, safety, security, and quality. “Many threats to and through the supply chain are addressed at this level, in the management of trust relationships with system integrators suppliers, and external service providers of ICT products and services,” the guidance states.
Tier 3: Information system. This tier is where ICT SCRM activities are integrated into the system development lifecycle of IT systems and system components. “Many threats through the supply chain are addressed at this level, with the use of ICT SCRM-related information security requirements,” the guidance explains.
Reducing ICT supply chain risks should be an enterprise-wide effort. “Generally, senior leaders provide the strategic direction, mid-level leaders plan and manage projects, and individuals on the front lines develop, implement, and operate the ICT supply chain infrastructure,” the guidance states.
MULTI-TIERED RISK MANAGEMENT
Below is an excerpt from the National Institute of Standards and Technology’s guidance, describing the three organizational tiers that make up information and communication technology supply chain risk management (ICT SCRM).
Tier 1: Organizational level. In general, Tier 1 is engaged in the development of the overall ICT SCRM strategy, determination of organization-level ICT SCRM risks, and setting of theorganization-wide ICT SCRM policies to guide the organization’s activities in establishing and maintaining organization-wide ICT SCRM capability.
Tier 2: Mission/business process level. Tier 2 is engaged in prioritizing the organization’s mission and business functions, conducting mission/business-level risk assessment, implementing Tier 1 strategy and guidance to establish an overarching organizational capability to manage ICT supply chain risks, and guiding organization-wide ICT acquisitions and their corresponding SDLCs.
Tier 3: Information system level. Tier 3 is involved in specific ICT SCRM activities to be applied to individual information systems and information technology acquisitions, including integration of ICT SCRM into these systems’ [development life cycles].
The ICT SCRM activities can be performed by a variety of individuals or groups within an organization, ranging from a single individual to committees, divisions, programs, or any other organizational structures. ICT SCRM activities will be distinct for different organizations depending on their organization’s structure, culture, mission, and many other factors.
It should be noted that this publication gives organizations the flexibility to either develop stand-alone documentation (e.g., policies, assessment and authorization plan and ICT SCRM plan) for ICT SCRM, or to integrate it into existing agency documentation.
After these three tiers have been established, ICT SCRM should be integrated into enterprise-wide risk management processes by implementing the following steps:
Frame: Establish the context for risk-based decisions and the current state of the information system or ICT supply chain infrastructure.
Assess: Review and interpret severity, threat, vulnerability, likelihood, impact, and related information.
Respond: Select, tailor, and implement mitigation controls once a risk has been identified.
Monitor: Monitor risk on an ongoing basis, including changes to an information system or ICT supply chain infrastructure, using effective communications and a feedback loop for continuous improvement.
Any company that’s trying to implement supply chain risk management best practices can use the NIST guidance as a framework, although the exercise will always involve lots of effort and attention. “This does not negate the need for each organization to take the time to review their internal policies and processes to see where they might be introducing vulnerabilities into their operations, or accepting risk from their supplier base and partners,” Bisceglie says.
Furthermore, Boyens says that the guidance is meant to complement, rather than replace, existing standards and guidelines, such as CoBIT 5.0 or ISO 27000. “Our risk management processes are consistent with other risk management processes in terms of identifying, assessing, and managing that risk,” he says.
Because technology supply chains differ across and within organizations, those risk management plans “should be tailored to individual organizational, program, and operational contexts,” the guidance stresses. Tailored plans will “help organizations to focus appropriate resources on the most critical functions and components based on organizational mission/business requirements and their risk environment.”
“We need to change the workflow from reactive to proactive,” Bisceglie says; supply chain risk management should be a process, rather than a compliance checklist activity.