NIST C-SCRM Key Practice 4: Understand Your Supply Chain

April 6th, 2021
Jackie Risley

Cyber Security Online Computer - FI

In this Aravo blog series, we’ve been taking a closer look at each of the Key Practices in Cyber Supply Chain Risk Management recently published by the National Institute of Standards and Technology (NIST). Previously, we explored the first three (Integrate C-SCRM Across the Organization, Establish a Formal C-SCRM Program, Know and Manage Critical Suppliers), but the fourth marks a shift from an internal focus to an external focus: “Understand your Supply Chain.”

This guidance goes beyond just knowing which suppliers are important to your organization to rigorously vetting your suppliers. This takes two primary forms:

  • A deep understanding of the people and processes at your supplier to ensure they meet the standards you set for your organization and can evaluate any inherent risks
  • Documenting what suppliers your supplier relies on and the nature of those relationships.

Understanding Subcontractor Relationships

Supply chain risk aren’t limited to your suppliers, but often extend throughout a global ecosystem to include their suppliers, partners, and other third parties – in other words, your fourth- and nth party suppliers. But according to a 2020 survey by Deloitte, only about 20% of organizations reported that they are performing any risk assessment of fourth parties.

That leaves the majority of organizations vulnerable to unforeseen risks that can impact the security of their systems and data. Do those sub-contractors process your data or have access to your supplier’s network? Could they present a compliance risk, such as providing component parts from a sanctioned or embargoed company or country? Can you be certain that your supplier’s critical third party is financially viable?

How the Technology Can Support This

Without an automated, centralized C-SCRM system, managing and analyzing the volume of data associated with vetting suppliers and sub-suppliers can be overwhelming. When over-burdened team members have to rely on manual processes, they can easily miss risk indicators and may not be able to give high-risk or critical suppliers the attention they deserve. Technology can help improve control and visibility teams with capabilities such as:

  • Robust assessments that can look deeply into your supplier’s people and processes. Built to reflect best practice and alignment to regulatory and other industry guidance, assessments should be very comprehensive, but provide the opportunity to scope the content based on the supplier and the product/service to ensure the appropriate due diligence and prevent “survey fatigue.”
  • The ability to gather data on fourth and nth parties. Understand which partners are critical to your suppliers and identify any partners that may have access to your data to conduct additional due diligence into those sub-suppliers that pose the greatest risk to your organization.
  • Map critical fourth and nth parties to understand overall risk exposure. Without this kind of analysis, teams may have unrecognized exposure, such as concentration risk if multiple suppliers rely on the same sub-supplier(s).
  • Integration with third-party cyber risk data intelligence providers, such as SecurityScorecard and BitSight. These products typically provide proprietary data analysis to assign a score to your suppliers based on their risk posture, processes, and other factors. Systems can use the scores as part of an overall risk score, identify suppliers that require additional due diligence, or continuously monitor suppliers for changes in their cyber risk profiles.
  • Assess multiple risk domains for a more complete view of supplier risk. The are many indicators of the resilience of suppliers beyond their cyber security profile. For instance, lack of financial viability, regulatory non-compliance, and ESG (ethic, sustainability, corporate governance) violations can all impact operations and continuity of supply.

Vetting suppliers and their third parties is just one of NIST’s recommended Key Practices. This blog series explores the entire list, which includes:

  1. Integrate C-SCRM Across the Organization
  2. Establish a Formal C-SCRM Program
  3. Know and Manage Critical Suppliers
  4. Understand the Organization’s Supply Chain
  5. Closely Collaborate with Key Suppliers
  6. Include Key Suppliers in Resilience and Improvement Activities
  7. Assess and Monitor Throughout the Supplier Relationship
  8. Plan for the Full Life Cycle

Share with Your Friends:

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management