Modern goods and services rely on a supply chain ecosystem, which are interconnected networks of manufacturers, software developers, and other service providers. This ecosystem provides cost savings, interoperability, quick innovation, product feature diversity, and the freedom to pick between rival providers. However, due to the many sources of components and software that often form a final product, supply chains carry inherent cybersecurity risks.

Organizations need to be aware of the risks associated with goods and services that may include potentially harmful functionality, counterfeiting, or susceptibility to other vulnerabilities as a result of poor manufacturing and development procedures throughout the supply chain.

The National Institute of Standards and Technology (NIST) has revised its Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations publication. The document, found under the heading, Special Publication 800-161r1SP revises the guidelines for recognizing, analyzing, and reacting to cybersecurity threats across the supply chain at all organizational levels. It helps NIST meet its duties under the 2021 Executive Order on Improving the Nation’s Cybersecurity, which tackles the rise of software security vulnerabilities across the supply chain.

Cybersecurity Supply Chain Risk Management (C-SCRM)

Since 2008, NIST has performed research and cooperated with a vast number and range of stakeholders to provide information resources that assist businesses with their Cybersecurity Supply Chain Risk Management (C-SCRM). This initiative is aimed at helping businesses to manage cybersecurity threats across their supply chains. Statutorily, federal agencies are required to use NIST’s C-SCRM and other cybersecurity standards and recommendations to secure non-national security information and communications infrastructure. The SECURE Technology Act and FASC Rule provided the NIST with special authority to draft C-SCRM recommendations.

In the cybersecurity-related parts of the supply chain, potential risks include the introduction of counterfeits, illegal production, tampering, theft, the insertion of harmful software and hardware, and poor manufacturing and development procedures.  The goal of supply chain management as it relates to cybersecurity risks includes maintaining the integrity, security, quality, and resilience of the entire chain and its goods and services. C-SCRM  looks at a supply chain system’s whole life cycle, including design, development, distribution, deployment, acquisition, maintenance, and destruction.

NIST Special Publication 800-161r1

This revised publication updates guidance on identifying, assessing, and responding to cybersecurity risks across an organization’s entire supply chain. The publication provides critical principles for organizations to implement as they build their capacity to handle cybersecurity risks. It also alerts organizations to consider the vulnerabilities, not just of a finished product they might use, but also of each of its parts, which might have been made somewhere else, and the path those parts took to get to their final destination.

The new C-SCRM guideline covers a vast variety of stakeholder groups, including information security, privacy, system development and implementation, acquisition, procurement, legal, and human resources. C-SCRM includes activities from the beginning of a system’s development life cycle, through the end of the system’s life.

The core audience for the revised publication consists of buyers and final consumers of goods, software, and services. The guideline helps organizations include cybersecurity supply chain risk concerns and regulations into their purchasing procedures and emphasizes the need of monitoring for risks. Due to the fact that cybersecurity risks may develop at any stage of a product’s life cycle or supply chain, the guideline now takes into account possible vulnerabilities, such as the sources of code inside a product or the merchants that carry it.

In Conclusion:

The supply chain is a weak point in international trade. It allows technology developers and suppliers to build and deliver novel solutions, but it may leave companies, their final products, and eventually customers vulnerable to cyberattacks.

Managing supply chain cybersecurity is an ongoing necessity, and if your organization hasn’t begun, there is a complete solution that may help you get started right away. The C-SCRM publication now includes essential practices that businesses may use to improve their capacity to manage cybersecurity risks inside and across their supply chains.

It encourages organizations to reconsider the vulnerabilities of a final product they’re contemplating employing, as well as the vulnerabilities of its components, which may have been produced elsewhere, and the path those components traveled to get there.

About the Author: Josephine Uba has written blog posts and guides on Cybersecurity, cryptocurrencies, cyber laws and cybercrimes, which has gained her recognition as a thought leader in these fields especially under Nigerian jurisdiction. She earned the Mondaq Thought Leadership Award in 2021 and recently won the Nigeria Overall Mondaq Thought Leadership Award in 2022 solely by writing on these topics.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.