Skip to main content

Cybersecurity - Supply Chain Risk Management (C-SCRM)

In this application, the term supply chain refers to the linked set of resources and processes between and among multiple levels of an enterprise, each of which is an acquirer that begins with the sourcing of products and services and extends through the product and service life cycle.

In this application, the term supply chain refers to the interconnected resources and processes involving multiple levels of an enterprise and its third parties, starting from the sourcing of products and services and extending through their entire life cycle.

Given the definition of supply chain, cybersecurity risks throughout the supply chain refers to the potential for harm or compromise that may arise from suppliers, their supply chains, their products, or their services.

Cybersecurity risks throughout the supply chain are the results of threats that exploit vulnerabilities or exposures within products and services that traverse the supply chain or threats that exploit vulnerabilities or exposures within the supply chain itself. Examples of cybersecurity risks throughout the supply chain include:

  1. A widget manufacturer whose design material is stolen in another country, resulting in the loss of intellectual property and market share.
  2. A widget manufacture that experiences a supply disruption for critical manufacturing components due to a ransomware attack at a supplier three tiers down in the supply chain.
  3. A store chain that experiences a massive data breach tied to an HVAC vendor with access to the store chain’s data-sharing portal.

Organizations increasingly rely on external providers for products, systems, and services to carry out their missions and business functions, but they remain accountable for the risks incurred. These relationships may be formed through joint ventures, contracts, outsourcing, or other agreements. The reliance on external providers introduces risks, such as counterfeiting, tampering, unauthorized production, malicious software or hardware, and poor manufacturing practices. These risks are amplified by the global and distributed nature of supply chains, which limit an organization’s visibility into how products and services are developed, integrated, and deployed.

To mitigate these risks, organizations develop a Supply Chain Risk Management (SCRM) & Cybersecurity - Supply Chain Risk Management (C-SCRM) policy that aligns with laws, regulations, and internal policies. This policy defines roles, responsibilities, and the integration of SCRM with risk management and the system development life cycle (SDLC). It also addresses procurement, risk assessments, threat intelligence, mitigation strategies, and performance monitoring.

Note that SCRM and C-SCRM refer to the same concept for the purposes of NIST publications. In general practice, C-SCRM is at the nexus of traditional Supply Chain Risk Management

SCRM requires coordinated efforts across the organization, involving both internal and external stakeholders. Activities include identifying risks, determining mitigating actions, developing SCRM plans, and monitoring performance.

The level of assurance an organization gains from external providers depends on the degree of control over their security and privacy controls, established through contracts or service-level agreements. Some organizations exert significant control, while others—using off-the-shelf products or commodity services—have limited influence. Ultimately, organizations are responsible for managing risks from external providers and must ensure an appropriate chain of trust is established.


(Source : NIST SP 800-161).