The National Institute of Standards and Technology (NIST) has recently released an update on managing risks in the supply chain. This release has not come at a better time given the large increase in supply chain attacks. The cyber security supply chain risk management is a process for managing exposure to cybersecurity risks throughout the supply chain and developing the appropriate responses. The NIST SP 800-161r1 publication aims to provide guidance to enterprises on how to identify, assess, select, and implement risk management processes and mitigating controls across the organization to help manage cybersecurity risks throughout the supply chain.
How can you integrate Cybersecurity Supply Chain Risk Management (C-SCRM) into Enterprise-wide risk management? – A brief overview
The C-SCRM depiction above starts with the Frame risk. You will want to establish the context for risk-based decisions and the current state of your enterprise’s information and communication technology and services with the associated supply chain; secondly, we should Assess risk. This can be done by reviewing and interpreting the criticality, threat, vulnerability, likelihood, impact, and any other related information; thirdly, Responding to risk. Selecting, tailoring, and implementing mitigation controls based on risk assessment findings; lastly, Monitoring risk. You always want to try and monitor risk exposure whenever possible on an ongoing basis, including tracking changes to an information system or supply chain using effective communications and a feedback loop for continuous improvements.
Managing cybersecurity risks throughout the supply chain is a complex undertaking that does require a mature enterprise with a coordinated and multidisciplinary approach across the enterprise.
Coming soon we will build out a tool that will assist your organization to see if NIST SP 800-161r1 is right for your enterprise and how we can help you implement and further mature your enterprise.