Using NIST SP 800-161 for Cybersecurity Supply Chain Risk Management

SP 800-53r5 Supply Chain-Specific Controls & Applicable SP 800-161r1 Cybersecurity Risk Management Guidance

Best Practice Capabilities

SR-1 Policy and Procedures

Develop, document, and disseminate:
1. A supply chain risk management policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;
b. Designate an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and
c. Review and update the current supply chain risk management:
1. Policy and
2. Procedures

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:

…Enterprise functions including but not limited to information security, legal, risk management, and acquisition should review and concur on the development of C-SCRM policies and procedures or provide guidance to system owners for developing system-specific C-SCRM procedures.

SR-2 Supply Chain Risk Management Plan

a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems, system components, or system services
b. Review and update the supply chain risk management plan as required, to address threat, organizational or environmental changes; and
c. Protect the supply chain risk management plan from unauthorized disclosure and modification.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:

C-SCRM plans describe implementations, requirements, constraints, and implications at the system level. … C-SCRM plans should be developed as a standalone document and only integrated into existing system security plans if enterprise constraints require it.

SR-3 Supply Chain Controls and Processes

a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes in coordination with supply chain personnel;
b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events; and
c. Document the selected and implemented supply chain processes and controls in the supply chain risk management plan.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:

… Departments and agencies should … implement this guidance in accordance with Executive Order 14028 on Improving the Nation's Cybersecurity.

Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management, and compliance programs.

Seek out experts to collaborate with your team on:

• Defining and implementing TPRM and C-SCRM processes and solutions
• Selecting risk assessment questionnaires and frameworks
• Optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding – according to your organization’s risk appetite

As part of this process, you should define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories
• Risk scoring and thresholds based on your organization’s risk tolerance

Continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities, measuring third-party vendor key performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle.

SR-4 (4) Provenance | Supply Chain Integrity – Pedigree

Employ controls and analyze to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:

Provenance should be documented for systems, system components, and associated data throughout the SDLC. Enterprises should consider producing SBOMs for applicable and appropriate classes of software, including purchased software, open-source software, and in-house software…

As part of the due diligence process, require vendors to provide updated software bills of materials (SBOMs) for their software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization’s security and compliance.

SR-5 Acquisition Strategies, Tools, and Methods

Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:

… Departments and agencies should … implement this guidance in accordance with Executive Order 14028 on Improving the Nation's Cybersecurity.

Centralize and automate the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables comparison on key attributes.

As all service providers are being centralized and reviewed, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

This level of due diligence creates greater context for making vendor selection decisions.

SR-6 Supplier Assessments and Reviews

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:

In general, an enterprise should consider any information pertinent to the security, integrity, resilience, quality, trustworthiness, or authenticity of the supplier or their provided services or products. Enterprises should consider applying this information against a consistent set of core baseline factors and assessment criteria to facilitate equitable comparison (between suppliers and overtime). Depending on the specific context and purpose for which the assessment is being conducted, the enterprise may select additional factors. The quality of information (e.g., its relevance, completeness, accuracy, etc.) relied upon for an assessment is also an important consideration. Reference sources for assessment information should also be documented...

Continuously track and analyze external threats to third parties. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions, and financial information.

Monitoring sources typically include:

• Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Databases containing several years of data breach history for thousands of companies around the world

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation, and response initiatives.

SR-8 Notification Agreements

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises; and results of assessments or audits.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:

At minimum, enterprises should require their suppliers to establish notification agreements with entities within their supply chain that have a role or responsibility related to that critical service or product…

Centralize the distribution, discussion, retention, and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities include:

• Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.

SR-13 Supplier Inventory

Develop, document, and maintain an inventory of suppliers that:
1. Accurately and minimally reflects the organization’s tier-one suppliers that may present a cybersecurity risk in the supply chain;
2. Is it at the level of granularity deemed necessary for assessing criticality and supply chain risk, tracking, and reporting;
3. Documents the following information for each tier one supplier (e.g., prime contractor): review and update supplier inventory.
i. Unique identify for procurement instrument (i.e., contract, task, or delivery order);
ii. Description of the supplied products and/or services;
iii. Program, project, and/or system that uses the supplier’s products and/or services; and
iv. Assigned criticality level that aligns with the criticality of the program, project, and/or system (or component of the system).
b. Review and update the supplier inventory.

Applicable SP 800-161r1 Cybersecurity Risk Management Guidance:

Enterprises rely on numerous suppliers to execute their missions and functions. Many suppliers provide products and services in support of multiple missions, functions, programs, projects, and systems. Some suppliers are more critical than others, based on the criticality of missions, functions, programs, projects, and systems that their products and services support, and the enterprise’s level of dependency on the supplier. Enterprises should use criticality analysis to help determine which products and services are critical to determining the criticality of suppliers to be documented in the supplier inventory...

Centralize all supplier insights into a single supplier profile so that all departments that engage with suppliers leverage the same information, improving visibility and decision-making.

Import vendors via a spreadsheet template or through an API connection to an existing procurement solution, eliminating error-prone, manual processes.

Populate key supplier details with a centralized and customizable intake form and associated workflow. This should be available to everyone via email invitation, without requiring any training or solution expertise.

Build comprehensive supplier profiles that compare and monitor supplier demographics, geographic location, fourth-party technologies, and recent operational insights. Having this accumulated data will enable you to report on and take action against geographic and technology concentration risks especially.