New NIST revisions expand scope of cyber supply chain risk management guidance

NIST in April published revised Special Publication 800-161, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” its first update since the original version in 2015. Changes to relative legislative and regulatory guidance as well as federal and industry practices prompted the need to update SP 800-161, said Jon Boyens, a senior adviser for information security at NIST and co-author of the guidance.

On May 12, NIST held a virtual workshop to discuss the hefty 277-page guidance, breaking it down into its simplest form. Within the guidance, NIST defines cyber supply chain risk management (C-SCRM) as a “systematic process for managing cyber supply chain risk exposures, threats, and vulnerabilities throughout the supply chain and developing response strategies to the cyber supply chain risks presented by the supplier, the supplied products, and services, or the supply chain.”

The overall purpose of the guidance is to help organizations identify and assess cyber supply chain risks and implement C-SCRM risk management controls, Boyens said. Whereas the original version was designed for information security practitioners and federal agencies, the revised version is intended for a much broader audience—effectively anyone involved in C-SCRM in both the private and public sector.

“The guidance/controls contained in this publication are built on existing multidisciplinary practices and are intended to increase the ability of organizations to strategically and operationally manage the associated cyber supply chain risks over the entire life cycle of systems, products, and services,” NIST stated.

C-SCRM elements

The revised version was expanded to include discussion not only on the foundational elements of a C-SCRM function—which was more the focus of the 2015 version—but also around “sustaining and enhancing” those practices.

“Organizations should prioritize reaching a base level of maturity in key practices prior to specifically focusing on advanced C-SCRM capabilities,” the guidance states.

At the foundational level, as the guidance describes in more detail, an agency or organization should:

• Establish a dedicated multidisciplinary C-SCRM program management office (PMO) and/or team;
• Establish an organization governance structure that integrates C-SCRM requirements and incorporates them into organizational policies;
• Identify and measure critical components and suppliers; and
• Develop and/or integrate C-SCRM into acquisition/procurement policies and procedures and purchase card processes.

Robust C-SCRM cannot be achieved without involving the acquisition team, which can play a role in helping to identify critical and high-risk suppliers and addressing C-SCRM in the procurement process by determining which controls are applicable, for example. The guidance includes a table showing where C-SCRM considerations could apply in the procurement lifecycle, but NIST welcomes comments in this area as well, said Angela Smith, an IT specialist at NIST.

C-SCRM PMO

A second core part of the revised guidance includes an in-depth discussion on how to better integrate C-SCRM into enterprise-wide risk management (ERM), including a newly added section describing how to develop a central PMO. “Having something like a dedicated program management office can be instrumental in getting the program going and then being able to sustain and enhance it over time,” Smith said.

While the original guidance focused more on risk tolerance, the new draft adds deeper discussion around risk appetite. According to the guidance, risk appetite “represents the types and amount of risk an organization is willing to accept in pursuit of value,” whereas risk tolerance establishes the boundaries of an organization’s risk appetite.

The purpose of a central C-SCRM PMO, in part, is to provide advisory services and expertise to other business units, which are then responsible for selecting and requesting services from the PMO as part of their responsibilities to meet the organization’s C-SCRM goals and objectives, the guidance states.

Other benefits of a PMO include being a liaison to external stakeholders; serving as a centralized hub for C-SCRM awareness and training templates; and managing the C-SCRM risk register.

According to the guidance, a PMO function typically consists of C-SCRM experts who help drive strategy and implementation across the organization and its mission and business processes and may report to an executive-level official responsible for overseeing C-SCRM activities across the organization.

Depending on organization-specific constraints, a PMO may consist of dedicated personnel or those with C-SCRM across a variety of business functions—like information security, IT, procurement, risk management, compliance, and legal. The key point: “You can’t do supply chain risk management without having that integrated, interdisciplinary team,” Smith said.

The importance of taking a coordinated, interdisciplinary approach across an organization toward establishing a C-SCRM program cannot be emphasized enough. It’s not about having in place a separate C-SCRM function that occasionally links back to the ERM function, Smith said. Rather, it’s about “maximizing and optimizing use of existing resources and functions and the expertise that already exists in the ERM function,” she said.

Even in smaller agencies or organizations with no central PMO, the idea is for those within the organization with C-SCRM expertise and knowledge to “become a center of expertise that the rest of the organization can then lean upon to grow their awareness, knowledge, and experience over time,” Smith said. “The key point here is that you really want to be able to have somebody who can facilitate that coordination who can be relied upon to provide that expertise and hand-holding, if needed.”

Sustaining practices

Once an organization embraces the foundational practices of C-SCRM, the next step is sustaining those practices.

The guidance describes the following as sustaining practices that advance C-SCRM capabilities:

• Using third-party assessments, site visits, and formal certification to assess critical suppliers;
• Clearly defining the organization’s risk appetite and risk tolerances to empower leaders with delegated authority across the organization to make C-SCRM decisions in alignment with the organization’s mission, strategic goals, and objectives;
• Embedding C-SCRM-specific training into training of applicable organizational roles involved;
• Setting up formal C-SCRM training, standalone or integrated, with training on other topics (e.g., cyber-security, procurement, risk management, and compliance);
• Collaborating more closely with suppliers to help them improve their cyber-security and C-SCRM practices;
• Collecting and reporting qualitative C-SCRM metrics.

While the original guidance focused more on risk tolerance, the new draft adds deeper discussion around risk appetite, said Matthew Fallon, a cyber-security manager at Boston Consulting Group. According to the guidance, risk appetite “represents the types and amount of risk an organization is willing to accept in pursuit of value,” whereas risk tolerance establishes the boundaries of an organization’s risk appetite.

The guidance further includes supplemental guidance and a table showing examples of how risk appetite and risk tolerance statements work together to frame risk within an organization.

Enhancing practices

At the most mature level, an organization should focus on enhancing its C-SCRM practices, with the goal of “advancement toward adaptive and predictive C-SCRM capabilities,” the guidance states. Organizations should pursue the following enhancing practices “once sustaining practices have been broadly implemented and standardized across the organization”:

• Automate C-SCRM processes where applicable and practical to drive execution consistency, efficiency, and free up key resources to focus on other critical activities;
• Adopt quantitative risk analyses; and
• Apply insights gained from leading C-SCRM metrics (i.e., forward-looking indicators) to shift from reactive to predictive C-SCRM strategies and plans that adapt to cyber supply chain risk profile changes before they occur.

Bringing these three elements together—foundational, sustaining, and enhancing—the revised draft adds another new section, “critical success factors,” that lists the following measures:

• Integrating C-SCRM considerations into acquisition activities;
• Building information sharing processes and activities into C-SCRM programs;
• Providing C-SCRM awareness and training, tailored to individuals’ specific roles and responsibilities;
• Implementing C-SCRM metrics to measure and manage the effectiveness of the program; and
• Deploying dedicated resources toward all these efforts.

For organizations looking to implement a C-SCRM program, the best place to start is to “review the foundational practices and figure out where the organization is [relative to those practices],” Smith said. Additionally, consider the critical success factors and what it will take to move the organization’s C-SCRM program to a higher level of maturity. Measure the program as it goes along, and make sure you’re achieving desired outcomes, she said.

The organization’s unique risk appetite and risk tolerance should drive the C-SCRM program, Fallon said. “Those have to inform the pieces and components that you’re going to be tackling first, because it’s overwhelming otherwise,” he said.

NIST is accepting public comment on the guidance until June 14. Based on feedback, NIST anticipates releasing a second draft in September 2021 and a final version by April 2022.