NIST C-SCRM Key Practice 3: Know and Manage Critical Suppliers

April 6th, 2021 Jackie Risley Reading Time: 3 minutes
Four woman at the conference room - fi

The global pandemic has underscored the need to understand risk associated with critical third parties in your cyber supply chain as they can bring your business to a halt or at least have a major negative impact. So it’s no wonder that the National Institute of Standards and Technology (NIST) listed “Know and Manage Critical Suppliers” as one of its “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry.” Unfortunately, this advice can be hard to put into practice, especially for organizations trying to manage cyber supply chain risk using manual or disparate systems.

Recent Aravo research found that 25% of survey respondents didn’t know what percentage of their third parties would be categorized as critical. And fewer than one-third felt they could report on critical third parties quickly and completely. Not having access to data related to critical vendors exposes organizations to serious risk and limits the ability to create effective business continuity and organizational resilience plans.

This is the third in a series of Aravo blogs exploring NIST’s Key Practices. Previous installments focused on integrating C-SCRM across the organization and establishing a formal C-SCRM program.

Defining Supplier Criticality

Before you can leverage technology to identify critical suppliers, the first step is to identify what criteria is used to define a critical supplier. Beyond a complete inability to function if they were disrupted, critical supplier designation can be based on multiple factors, such as amount of spend, volume or sensitivity of data processed, or ability to act as a threat vector. The NIST guidance includes links to additional resources that can help you determine the criteria that is most appropriate for your organization.

In Aravo industry research, organizations that are able to track supplier criticality typically report that about 10% of their third of their suppliers are categorized as critical. However, there is no universal heuristic for how many suppliers should be considered critical. That decision will be driven by the nature of your business and your supplier ecosystem.

How Technology Supports This

Even with perfectly defined criteria, trying to identify and tier suppliers using spreadsheets can be complicated and prone to error. To streamline this process and reduce exposure, you’ll want to choose technology that can:

  • Systematically identify critical suppliers during the onboarding and assessment processes by applying your criteria. The system should be able to apply business rules and logic easily configured to reflect your organization’s priorities.
  • Automatically conduct a level of due diligence aligned to the criticality and risk profile of the supplier. The system should be able to require suppliers with the highest combination of criticality and risk to undergo more detailed assessment processes and, when needed, meet risk mitigation requirements.
  • Proactively alert you to events that could threaten the continuity of supply (e.g. weather, geo-political events, biohazards) and generate business impact assessments for critical suppliers. The system should include a complete workflow for evaluating the hazard and conducting any additional activities required to mitigate the risk.
  • Identify alternate sources of supply within your cyber supplier base and/or facilitate RFP/RFI solicitation. In a crisis, your competitors will likely also be looking to backfill suppliers, so it’s crucial to act quickly to avoid delays.
  • Monitor contractual terms throughout the life cycle of the relationship. Typically based on master specifications that take supplier criticality into account, these contractual terms should be subject to performance management that accounts for qualitative and quantitative evaluation.
  • Trigger escalation processes appropriate to the situation as needed, ranging from logging a case and resolving the issue via intelligent automation to termination and off-boarding. Data that signals non-compliance can include performance management feedback, changes in risk scores related to security (such as those from BitSight or Security Scorecard), adverse media (e.g. reports of a breach), or an issue that is self-reported logged by a user.
  • Provide feedback to the contracting team responsible for negotiating contracts to refine terms and conditions. A C-SCRM team should be able to identify additional risk dimensions for that particular kind of supplier, as well as monitor the performance of and compliance to the established contract terms.

Check out the other installments of this blog series to explore the rest of NIST’s Key Practices. The complete list includes:

1. Integrate C-SCRM Across the Organization
2. Establish a Formal C-SCRM Program
3. Know and Manage Critical Suppliers
4. Understand the Organization’s Supply Chain
5. Closely Collaborate with Key Suppliers
6. Include Key Suppliers in Resilience and Improvement Activities
7. Assess and Monitor Throughout the Supplier Relationship
8. Plan for the Full Life Cycle

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management