NIST C-SCRM Key Practice 4: Understand Your Supply Chain

April 6th, 2021 Jackie Risley Reading Time: 3 minutes
Cyber Security Online Computer - FI

In this Aravo blog series, we’ve been taking a closer look at each of the Key Practices in Cyber Supply Chain Risk Management recently published by the National Institute of Standards and Technology (NIST). Previously, we explored the first three (Integrate C-SCRM Across the Organization, Establish a Formal C-SCRM Program, Know and Manage Critical Suppliers), but the fourth marks a shift from an internal focus to an external focus: “Understand your Supply Chain.”

This guidance goes beyond just knowing which suppliers are important to your organization to rigorously vetting your suppliers. This takes two primary forms:

Understanding Subcontractor Relationships

Supply chain risk aren’t limited to your suppliers, but often extend throughout a global ecosystem to include their suppliers, partners, and other third parties – in other words, your fourth- and nth party suppliers. But according to a 2020 survey by Deloitte, only about 20% of organizations reported that they are performing any risk assessment of fourth parties.

That leaves the majority of organizations vulnerable to unforeseen risks that can impact the security of their systems and data. Do those sub-contractors process your data or have access to your supplier’s network? Could they present a compliance risk, such as providing component parts from a sanctioned or embargoed company or country? Can you be certain that your supplier’s critical third party is financially viable?

How the Technology Can Support This

Without an automated, centralized C-SCRM system, managing and analyzing the volume of data associated with vetting suppliers and sub-suppliers can be overwhelming. When over-burdened team members have to rely on manual processes, they can easily miss risk indicators and may not be able to give high-risk or critical suppliers the attention they deserve. Technology can help improve control and visibility teams with capabilities such as:

Vetting suppliers and their third parties is just one of NIST’s recommended Key Practices. This blog series explores the entire list, which includes:

  1. Integrate C-SCRM Across the Organization
  2. Establish a Formal C-SCRM Program
  3. Know and Manage Critical Suppliers
  4. Understand the Organization’s Supply Chain
  5. Closely Collaborate with Key Suppliers
  6. Include Key Suppliers in Resilience and Improvement Activities
  7. Assess and Monitor Throughout the Supplier Relationship
  8. Plan for the Full Life Cycle

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management