NIST Key Practice 2: Establish a Formal C-SCRM Program

April 2nd, 2021 Jackie Risley Reading Time: 3 minutes
Featured - Photo of people leaning on wooden table

As explored in our previous blog in this series, Integrate C-SCRM Across the Organization was the first of 8 Key Practices for Cyber Supply Chain Risk Management (C-SCRM) programs outlined in the National Institute of Standards and Technology (NIST)’s recent report, “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry.” While, the integration of C-SCRM across the organization is foundational, it won’t lead to real change without NIST’s second Key Practice: Establish a formal C-SCRM program.

First and foremost, formalizing your C-SCRM program increases accountability because, all too often, when everyone is responsible, no one is responsible. The NIST guidance recommends “clear definition of roles of individuals responsible for cybersecurity aspects of supplier relationships” and provides a checklist of best practices for formal programs.

Organizations that formalize their practices with a collaborative approach prior to implementing a third-party risk management (TPRM) automation system are more successful than organizations that approach this type of program in a disconnected way. The combination of accountability and collaboration helps them to make better decisions when it comes to selecting, designing, and deploying a solution that meets the needs of all stakeholders who bear some level of responsibility for reducing risk and delivering value.

How Technology Supports This

A formal C-SCRM practice has many stakeholders with different roles, priorities, and responsibilities. Meeting the needs of cross-functional stakeholders and staying on top of the volume of data and processes is challenging for owners of the formal C-SCRM practice who have to rely on spreadsheets and emails. Technology that aligns to the recommendations in NIST’s Key Practice helps C-SCRM practice owners be more efficient, effective, and successful when it can:

  • Act as a single source of truth for data related to cyber suppliers, including risks beyond cyber security, such as financial viability, concentration risk, and/or business continuity risk. Though administered by the C-SCRM team (or third-party risk, vendor risk, or equivalent in your organization), the system should support the entire organization, including role-based dashboards, views, and processes.
  • Deliver metrics and reporting aligned to the board requirements. NIST’s Key Practice calls for increased board or executive-level involvement, and industry research shows that board involvement is highly correlated with program maturity.
  • Support NIST’s recommendation to provide enterprise training by embedding guidance into the context of the process, such as an explanation of the regulatory requirements or controls related to a specific assessment. Products with robust APIs can even integrate learning management system (LMS) content into the user experience.
  • Standardize processes, such as establishing a consistent set of security requirements and controls for suppliers, tiering suppliers based on criticality or risk profile, and preventing onboarding of banned or disqualified suppliers.
  • Support shared assessments, such as the SIG (Standard Information Gathering), which is used by 15,000+ organizations worldwide and aligns to NIST 800-53r4 and NIST CSF 1.1, as well as numerous other international standards. A robust system will be able to complement these standardized assessments with automation and life cycle management in combination with assessments specific to your organization’s requirements, when appropriate.
  • Track performance to SLAs by gathering qualitative and quantitative feedback specific to contractual requirements. C-SCRM program professionals should be able to automatically share performance assessment scores internally (to inform contract discussions or trigger remediation) or externally with the supplier.
  • Automatically log issues and trigger corrective actions when suppliers fall out of compliance with SLAs or their risk profile materially changes.
  • Can identify alternate sources of supply when suppliers are unable to meet their obligations. Ideally, your system should be able to warn you of possible supply chain disruptions (e.g. weather, geo-political events, or biohazards) so that you can conduct proactive business impact assessments and take appropriate action.
  • Includes protocols for terminating and off-boarding suppliers. While this specific guidance focuses on minimizing data leakage risk related to hardware disposal, a well-equipped C-SCRM practice can identify a multitude of opportunities to improve cyber security when off-boarding suppliers that have network access, premises access, or backup copies of sensitive data.

Formalizing your C-SCRM program is a necessary step in effectively managing and mitigating risks posed by your suppliers, but it’s just the beginning of the journey. This blog series explores all of NIST’s Key Practices to help you understand how technology can help you meet these expectations. The full list includes:

  1. Integrate C-SCRM Across the Organization
  2. Establish a Formal C-SCRM Program
  3. Know and Manage Critical Suppliers
  4. Understand the Organization’s Supply Chain
  5. Closely Collaborate with Key Suppliers
  6. Include Key Suppliers in Resilience and Improvement Activities
  7. Assess and Monitor Throughout the Supplier Relationship
  8. Plan for the Full Life Cycle

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management