The longer a global supply chain grows, the less visibility and assurance corporations have into the integrity and security of their products and operations. Now NIST is trying to pierce that fog, and compliance officers in the private sector might want to take notice.
Earlier in April the National Institute of Standards and Technology issued its latest guidance, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations”—a 282-page missive on how to better manage the supply chain for technology products, to root out cyber-threats that might leave a piece of IT equipment compromised or simply malfunctioning. NIST’s guidance is intended for government agencies acquiring lots of IT and communication technology, but the principles behind it are just as useful elsewhere.
“Every organization relies upon technology, whether it’s in their manufacturing processes, their products, or services, or if it’s to enable their business activity,” says Jon Boyens, a senior adviser for information security at NIST and co-author of the guidance.
In today’s globalized world, the components of a laptop or a cellular phone, for example, are routinely manufactured in many different locations, while assembly of the final product may take place in yet another part of the world. Now imagine how much more complex that supply chain becomes for a much larger system, such as the avionics in a commercial airplane or a communications network for the military.
“Each access point into the technology, which ultimately is assembled into one product or service, creates risk,” Boyens says. Hackers might try to embed malicious software within those components, or poorly trained workers might just assemble a bad part. Either way, the threats to the supply chain are many, and the final result is the same: an untrustworthy product, that you might not even know exists.
“Cyber-supply chain risk management is still a fairly nascent discipline,” Boyens says. “I would say it’s where traditional supply chain risk management was about 15 years ago. It’s still developing.”
One part of the guidance describes three tiers of risk management to help organizations integrate ICT supply chain risk management (yes, there’s an acronym for that: ICT SCRM) effectively. They are:
Tier 1: Organization. In this tier, the company’s executive leadership team defines the company’s overall ICT SCRM strategy, policies, goals, and objectives. These activities “help to
ensure that ICT SCRM mitigation strategies are cost-effective, efficient, and consistent with the strategic goals and objectives of the organization,” the guidance states. This tier is also responsible for establishing a risk tolerance level for ICT supply chain risks.
Senior leadership support is “non-negotiable,” says Jennifer Bisceglie, president and CEO of Interos Solutions, a consulting firm that works on supply chain risk management. It must be connected to the business objective, she says, or leadership will not support it.
At the organization tier, another step is to establish a team with roles and responsibilities for leading and supporting ICT SCRM activities. “We advocate a team-based approach,” Boyens stresses. The specific functions that may be involved in managing ICT supply chain risks can include compliance, risk, legal, IT, supply chain and logistics, acquisition and procurement, and other relevant functions, he says.