Cybersecurity Supply Chain Risk Management (C-SCRM) is the process for managing exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures. The updated publications is called the Cybersecurity Supply Chain Risk Management Practices for System and Organizations (NIST Special Publication 800-161 Revision 1), and it provides agencies guidance to identify, assess, and respond to cyber risks throughout the supply chain at all organizational levels.
The publication provides key practices for organizations to adopt as they develop their capabilities to manage cyber risks within and across supply chains. The update also encourages organizations to consider vulnerabilities “not only of a finished product they are considering using, but also of its components – which may have been developed elsewhere”.
The guidance defines ‘supply chain’ as set of resources and processes between and among multiple levels of an enterprise, each of which is an acquirer that begins with the sourcing of products and services and extends through the product and service life cycle.
The practices and controls described in the document apply to both information technology (IT) and operational technology (OT) environments and is inclusive of IoT.
