Cyber Supply Chain Risk Management (C-SCRM) Best Practices

Cyber Supply Chain Risk Management (C-SCRM) Best Practices

It’s time-consuming enough to source solutions that fit your organization’s functional and business requirements. Evaluating a potential supplier’s cybersecurity posture introduces additional complexity and uncertainty into the sourcing and selection process.

That’s why it’s essential to start your relationship with a potential supplier by conducting pre-contract due diligence in line with your RFIs, RFPs and other RFx processes. Cybersecurity insights to seek at this early stage of the supplier relationship should include:

• Data breach history and disclosures, to help determine whether the vendor is vulnerable to cyber attacks
• Fourth-party technologies in use, to gain visibility into technology concentration risk and uncover peripheral technologies that could provide backchannels to your organization

Incorporating these insights into your RFx process will ensure not only that a selected solution is fit for purpose, but also that the supplier behind the solution doesn’t expose your organization to unnecessary risk.

Build Security Requirements into Supplier Contracts

Many organizations fail to consider that they may be able to mandate cybersecurity controls in contracts. SLAs and other contractual agreements can require third and fourth parties to implement or maintain cybersecurity controls to protect your organization's sensitive data.

Understand Profiled, Inherent and Residual Vendor Risk

Understanding the different types of supplier risk can enable you to make data-based decisions on how to apply vendor risk questionnaires, as well as to accurately compare suppliers based on measurable risk. At Prevalent, we categorize supplier risk into three types:

• Profiled Risk: Profiled risk applies to the category of product or service a supplier provides to your organization. For instance, a managed service providers (MSP) with access to your IT environment poses far more profiled risk than a cleaning contractor would.
• Inherent Risk: Inherent risk is the amount of risk a supplier poses prior to implementing security controls required by your organization. Inherent risk is calculated for specific companies based on risk assessments and risk monitoring data.
• Residual Risk: Residual risk is the risk that remains after a supplier has taken remediation or mitigation actions. Your risk management team will need to determine whether residual risks are acceptable or not.

Utilize Vendor Risk Questionnaires & Repositories

Vendor risk questionnaires can provide visibility into a supplier’s cyber security controls and help to avoid compliance violations. You can dramatically speed the supplier due diligence process by tailoring your questionnaires according to inherent risk and mapping answers to cybersecurity regulations applicable to your organization.

You should also consider segmenting questionnaires based on industry, service level, and/or level of system access. For instance, a software vendor might require a substantially different questionnaire than an onsite HVAC contractor. Effective use of vendor risk questionnaires can simplify compliance, streamline vendor onboarding, and provide visibility into the extended supply chain.

Using a third-party risk management platform can help to automate the process and reduce the time required to assess suppliers. In addition, subscribing to a vendor risk intelligence network is a cost-effective way to gain access to thousands of already-completed assessments and add scale to sourcing, selection, onboarding and inherent risk scoring.

Bonus Tip: When designing your vendor risk assessment questionnaires, include questions about fourth and Nth parties to gain visibility into risks deeper into the supply chain. Even if your third party has sound cybersecurity controls, one of its vendors could still trigger a data breach that ultimately impacts your organization.

Practice Continuous Monitoring Throughout Your Cyber Supply Chain

Practicing continuous third-party monitoring can help you to identify new vulnerabilities, data breaches and other security exposures affecting suppliers. Monitoring enables you to stay on top of risks that may emerge between periodic, questionnaire-based assessments. A strong cyber risk monitoring solution can provide intelligence from criminal forums, onion pages, dark web special access forums, threat feeds, paste sites, security communities, code repositories, vulnerability databases, and other sources.

In addition to providing early warning of potential incidents that could impact your organization, continuous monitoring can validate whether the controls reported in a supplier’s assessment responses are in place and functioning as intended.

Don’t Forget Fourth and Nth Parties

Unlike with physical goods, it can be difficult to track how your organization's information is stored and shared throughout your extended supply chain. Each organization in your cyber supply chain likely works with dozens, or even hundreds of software companies, outsourced IT contractors, and other third parties – several of which could have access to your company's information. The last thing that a CISO or CIO wants to hear is that the organization has been exposed to a data breach because of an Nth-party vendor's negligence.

Below are a few best practices you can use when evaluating and mitigating the fourth-party risk.

Identify Mission-Critical Vendors in Your Cyber Supply Chain

Building an effective C-SCRM program requires prioritizing which vendor risk to focus on. The average organization works with innumerable third, fourth and Nth parties. Finding every risk in the extended supply chain of each vendor is impossible. When working to get visibility into your fourth- and Nth-party cyber supply chain, start by focusing on the most important vendors based on their inherent risk scores. When prioritizing, consider:

• What level of access does the vendor have to regulated data such as PII, PFI, PHI and, where applicable, classified or controlled unclassified information?
• Is the vendor a software provider? If so, where are they hosting the organization's data and what security controls does the data center have?
• Does the vendor have its own cyber supply chain risk management program in place? If so, are they able to produce a report on their cyber supply chain risk?
• Does the organization base its information security and third-party risk management programs on widely accepted frameworks?

Map Your Extended Cyber Supply Chain

Building a comprehensive map of your supply chain, complete with dependencies and risk tiering, can enable you to get the visibility you need to make effective risk mitigation decisions. First, you need to ensure that you are gathering the necessary data. Questions regarding fourth and Nth parties in your extended supply chain should be standard on all vendor risk assessment questionnaires.

Once you have a good understanding of your third- and fourth-party ecosystem, you can identify vendors that may present single points of failure or unacceptable levels of information security risk. Here are some remediation suggestions if a fourth or Nth party is deemed to be high-risk:

• Request to update your contract with the relevant third party to limit data sharing or access to IT infrastructure with the high-risk fourth party
• Request additional information about the fourth party’s security controls and infrastructure
• Consider alternative third-party suppliers when contracts are up for renewal
• Work with the internal department associated with the third party to implement safeguards and limit sensitive data sharing
• Conduct continuous monitoring of the fourth party to reduce the risk of a compromise that could ultimately affect your organization

Periodically Reassess Supplier Risk

Risks are constantly emerging and evolving, so limiting critical suppliers to a single, point-in-time risk assessment is not enough. Be sure to reassess risk at multiple points throughout the lifecycle of the contract to ensure that residual risk hasn’t risen beyond acceptable levels. Here are some questions to consider:

• Does your C-SCRM program conduct risk assessments throughout the lifecycle of the contract or just once at the beginning?
• Are the scope and cadence of risk assessments determined based on risk findings from the vendor onboarding process?
• Are you able to effectively integrate changes in the vendors' residual risk profile into your broader third-party risk management workflow?
• Do you evaluate fourth- and Nth-party risk as part of your standard risk assessments?

Implement a Supplier Incident Response Plan

Premeditatio malorum – Latin for “the premeditation of evils and troubles that might lie ahead.” Or, to put it more plainly – plan for the worst! Unwanted supplier cyber events will happen. However, your organization’s level of preparation for those events can mean the difference between a severe disruption and a mild disturbance.

Effective incident management (IM) and C-SCRM go hand-in-hand. For example, identifying your third, fourth and Nth parties enables effective incident management – considering as many as half of all incidents originate with vendors. Supplier and subcontractor contracts need to include IM/breach notification requirements within a fixed timeframe (e.g., 24 hours) after a major incident is identified. Validating your supplier IM processes and contacts, along with periodic testing, can help to ensure operational readiness to respond to and resolve incidents.

Maintain Diligence During Offboarding

Many companies spend significant time on vendor due diligence, risk questionnaires, and mapping compliance requirements but fail to plan for the end of the relationship – when many security exposures occur. That’s why vendor offboarding is just as important as vendor onboarding. Failure to successfully offboard vendors and ensure that sensitive data has been destroyed and that IT access has been revoked can result in:

• Compliance issues if a contract has expired and the vendor still has access to IT systems
• Potential data breaches if a vendor has stored PII or PHI of your employees or customers
• Insider threats when contractor employees retain access to data and systems

C-SCRM Resources

There are several cyber supply chain risk management resources that you can look to when building or evaluating your program. Prominent resources include those published by the National Institute of Standards and Technology (NIST) and other government agencies, regulatory bodies, and private industry groups. Here are a few useful resources:

NIST Special Publication 800-161 r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

NIST SP 800-161 is a cyber supply chain risk management framework that can help your organization build and mature its C-SCRM program. NIST 800-161provides detailed guidance on how to incorporate a C-SCRM program into your broader enterprise risk management strategy and covers critical success factors for building an effective C-SCRM program. NIST 800-161 controls are broken into 20 families ranging from access control to incident and response.

NIST C-SCRM Risk Exposure Framework

Appendix A of NIST SP 800-161 Rev 1 includes a risk exposure framework with detailed guidance for identifying potential Supply Chain Threat Scenarios. NIST defines a threat scenario as “a set of discrete threat events associated with a specific potential or identified existing threat source or multiple threat sources, partially ordered in time.” NIST’s Risk Exposure Framework enables you to identify and assign risk to various supply chain threat scenarios, and to incorporate these findings in your broader third-party risk assessment approach.

NIST C-SCRM Templates

Appendix D of NIST 800-161 r1 provides several templates for documenting your C-SCRM program, including implementation plans, compliance initiatives, strategic objectives, roles and responsibilities, and implementation milestones. These templates are invaluable for outlining a new C-SCRM program or enhancing your existing program with supporting documentation.

NIST Software Security Supply Chain Guidance

NIST published its Software Security Supply Chain Guidance in response to the requirements of Executive Order (EO) 14028 Section 4E on Improving the Nation’s Cybersecurity. The document is geared towards federal agencies, but many of the same practices can be employed by corporations seeking to mitigate cyber risks in their extended supply chains.

Security Measures for “EO-Critical Software”

Security Measures for EO Critical Software is another NIST document created in response to Executive Order 14028. NIST defines EO critical software as:

… any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

• is designed to run with elevated privilege or manage privileges;
• has direct or privileged access to networking or computing resources;
• is designed to control access to data or operational technology;
• performs a function critical to trust; or,
• operates outside of normal trust boundaries with privileged access. (Source)

The Security Measures document is intended principally for federal agencies, but it can easily be reused by private-sector entities. The document identifies software categories that should be considered “EO Critical,” which can help you to flag potentially high-risk suppliers during the profiling and tiering stage.

NIST Guidelines on Minimum Standards for Developer Verification of Software

This NIST document lays out specific guidelines for federal agencies to verify the security of software being used. This includes the following verification techniques that should form the basis for identifying risks:

• Threat modeling to identify design-level security issues
• Automated testing for consistency and to minimize human effort
• Static code scanning to reveal bugs
• Heuristic tools to look for possible hardcoded secrets
• Use of built-in checks and protections
• “Black box” test cases
• Code-based structural test cases
• Historical test cases
• Fuzzing
• Web application scanners, if applicable
• Address included code (libraries, packages, services)

HHS C-SCRM Guidance

The U.S. Department of Health and Human Services published a presentation on maturing a C-SCRM program. The presentation provides a high-level overview of C-SCRM best practices based on NIST and covers specific controls and control families that should be implemented as part of a holistic C-SCRM program.

Concerned About Cyber Supply Chain Risk Management? Prevalent Can Help.

Third-party cyber risk is growing exponentially. Prevalent provides an easy-to-use platform that enables you to automate supplier risk assessment questionnaires, assign risk scores to suppliers, monitor risk and changes over time, and manage and report on supplier risk. Using a dedicated TPRM platform can automate the supplier risk management lifecycle and enable your team to focus on reducing organizational risk. To see how Prevalent can help you manage supply chain risk, request a demo today.