Cybersecurity Supply Chain Risk Management C-SCRM

Cybersecurity Supply Chain Risk Management (C-SCRM) involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of Information Communications Technology and Operational Technology (ICT/OT)  product and service supply chains throughout the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). Examples of risks include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cybersecurity-related elements of the supply chain.

Since 2008, NIST has conducted research and collaborated with a large number and variety of stakeholders to produce information resources which help organizations with their C-SCRM.  By statute, federal agencies must use NIST’s C-SCRM and other cybersecurity standards and guidelines to protect non-national security federal information and communications infrastructure. The SECURE Technology Act and FASC Rule gave NIST specific authority to develop C-SCRM guidelines. NIST is also a member of the Federal Acquisition Security Council (FASC).

Implementing NIST C-SCRM standards and guidance (such as the foundational C-SCRM document Special Publication (SP) 800-161r1) can create a C-SCRM Project Management Office (PMO) or risk function (for smaller organizations without the capacity to maintain an entire C-SCRM PMO and personnel.  The NIST C-SCRM program helps organizations to manage the increasing risk of supply chain compromise related to cybersecurity, whether intentional or unintentional. 

C-SCRM Resources

C-SCRM News