NIST CYBERSECURITY & PRIVACY PROGRAM

Cybersecurity Supply Chain Risk Management

When a supply chain is compromised, its security can no longer be trusted, whether it involves a chip, laptop, server,
other technology, a non-electronic product, or a service. The National Institute of Standards and Technology (NIST) is
responsible for developing reliable and practical standards, guidelines, tests, and metrics to help manufacturers,
retailers, government agencies, and other organizations with their Cybersecurity Supply Chain Risk Management (C-
SCRM). The private and public sectors rely heavily on these NIST-produced resources. That includes organizations that
develop – or simply use – information, communications, and operational technologies that depend upon complex,
globally distributed, and interconnected supply chains. These supply chains cover the lifecycle – from research and
development, design, and manufacturing to acquisition, delivery, integration, operations and maintenance, and
disposal.

NIST has collaborated with public and private sector stakeholders to research and develop C-SCRM tools and metrics,
producing case studies and widely used guidelines on mitigation strategies. These multiple resources reflect the
complex global marketplace and assist federal agencies, companies, and others in managing cybersecurity risks in
supply chains that threaten their information systems and organizations. The SECURE Technology Act and FASC Final
Rule gave NIST specific authority to develop C-SCRM guidelines. NIST is also a member of the Federal Acquisition
Security Council (FASC). A May 2021 Executive Order assigned NIST additional responsibilities related to software
supply chains relied upon by federal agencies.

(NISTIR 8286). Activities should involve identifying

SCOPE AND APPROACH and assessing applicable risks, determining
appropriate responses, developing a C-SCRM Strategy
Managing cybersecurity supply chain risk requires
and Implementation Plan to document selected
ensuring the integrity, security, quality, and resilience of
responses, and monitoring performance against that
the supply chain and its products and services. NIST
plan. Because cyber supply chains differ across and
focuses on:
within organizations, the strategy and plan should be
• Foundational Practices: C-SCRM lies at the tailored to individual organizational contexts.
intersection of information security and supply chain
o Risk: Cyber supply chain risk is associated with a
risk management. Existing supply chain and
lack of visibility into, understanding of, and
cybersecurity practices provide a foundation for
control over processes and decisions involved in
building an effective risk management program.
developing and delivering cyber products and
• Enterprise-wide Practices: Effective C-SCRM is an services acquired by federal agencies.
enterprise-wide activity that involves each tier
o Threats and Vulnerabilities: Effectively managing
(Organization, Mission and Business Processes, and
cyber supply chain risk requires a comprehensive
Information Systems) and is implemented throughout
view of threats and vulnerabilities. Threats can be
the system development life cycle.
either adversarial (e.g., tampering, counterfeits)
• Risk Management Processes: C-SCRM should be or non-adversarial (e.g., poor quality, natural
implemented as part of overall risk management disasters). Vulnerabilities may be internal (e.g.,
activities, such as those described in Managing organizational procedures) or external (e.g., part
Information Security Risk (NIST SP 800-39), the NIST of an organization’s supply chain).
Cybersecurity Framework, and Integrating
Cybersecurity and Enterprise Rick Management

C-SCRM Fact Sheet | May 2022 1

• Critical Systems: Cost-effective supply chain risk the Office of Management and Budget (OMB),
mitigation requires organizations to identify systems Department of Defense (DOD), Office of the Director
and components that are most vulnerable and cause for National Intelligence (ODNI), Cybersecurity and
the largest organizational impact if compromised. Infrastructure Security Agency (CISA), General
Services Administration (GSA), and NIST.
KEY NIST RESOURCES & ACTIVITIES • Co-leads the Software and Supply Chain Assurance
Forum with DOD, the Department of Homeland
Focusing on federal agencies – while also engaging with Security (DHS), and GSA. The Forum provides a venue
and providing resources useful to other levels of for government, industry, and academic participants
government and the private sector – NIST: from around the world to share their knowledge and
• Produced Cybersecurity Supply Chain Risk expertise regarding software and supply chain risks,
Management for Systems and Organizations (SP 800- effective practices and mitigation strategies, tools
161 Revision 1) to guide organizations in identifying, and technologies, and any gaps related to the people,
assessing, and responding to supply chain risks at all processes, or technologies involved.
levels. It is flexible and builds on organizations’ • Released Preliminary Draft NIST Cybersecurity
existing information security practices. Practice Guide 1800-34, Validating the Integrity of
• Participates in the Federal Acquisition Security Computing Devices (Volumes A, B, and C), which is a
Council, or FASC, created by law in 2018. The Council multi-year culmination of a demonstration project to
helps to develop policies and processes for agencies identify methods to help organizations verify that
to use when purchasing technology products and their purchased computing devices’ internal
services. It recommends C-SCRM standards, components are genuine and have not been altered
guidelines, and practices that NIST should develop. during manufacturing or distribution or after sale
from a retailer until the device is retired from service.
• Integrated C-SCRM considerations into other NIST
This is a collaboration with the private sector via the
guidance, including the Cybersecurity Framework,
NIST-led National Cybersecurity Center of Excellence
Risk Management Framework, and Security and
(NCCoE).
Privacy Controls for Information Systems and
Organizations (SP 800-53 R5) – all widely used by
federal agencies and others.
Additional Resources:
• Released Criticality Analysis Process Model: • NIST’s C-SCRM Program website:
Prioritizing Systems and Components (NISTIR 8179), http://scrm.nist.gov
aimed at identifying systems and components that
• NIST’s Case Studies and Key Practices in C-
are most vital and may need additional security or
SCRM Project:
other protections.
https://csrc.nist.gov/Projects/cyber-supply-chain-
• Released Blockchain and Related Technologies to risk-management/key-practices
Support Manufacturing Supply Chain Traceability: • NIST-Sponsored Research on C-SCRM:
Needs and Industry Perspectives (NISTIR 8419), which https://csrc.nist.gov/Projects/cyber-supply-chain-
explores the issues that surround traceability, the risk-management/NIST-Sponsored-Research
role that blockchain and related technologies may be • Software and Supply Chain Assurance Forum:
able to play to improve traceability, and several https://csrc.nist.gov/Projects/cyber-supply-chain-
industry case studies. risk-management/ssca
• Finalized Key Practices in Cyber Supply Chain Risk • Federal C-SCRM Forum:
Management: Observations from Industry (NISTIR https://csrc.nist.gov/federal-c-scrm
8276), summarizing practices foundational to an
effective C-SCRM program.
• Hosts the Federal C-SCRM Forum, which fosters
collaboration and the exchange of information For more information, contact Jon Boyens at NIST:
among federal organizations to improve the security 301-975-5549 (T) | Boyens@NIST.gov
of their supply chains. It includes those responsible
for C-SCRM in the federal ecosystem, among them

C-SCRM Fact Sheet | May 2022 2