The Ultimate Guide to
NIST SP 800-161
NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, guides organizations on identifying, assessing, and mitigating cyber supply chain risks at all levels of their organization. The publication integrates cyber supply chain risk management (C-SCRM) into risk management activities by applying a multi-level, C-SCRM-specific approach, including guidance on developing C-SCRM strategy, implementation plans, C-SCRM policies, and C-SCRM risk assessments for products and services.
The importance of a cybersecurity supply chain risk management program
Establishing a robust cybersecurity supply chain risk management program needs to be a top priority for every organization today–regardless of size or the nature of business. Supply chain-related cybercrime accelerated into overdrive in 2020 and is showing no signs of slowing. Supply chain breaches have become alarmingly prevalent, with over 60% of data breaches worldwide resulting from third-party exposure. In 2020, a whopping 90% of businesses experienced a cybersecurity incident like a data breach because of a third-party or supply chain failure.
Global giants in every industry feel the pain of overlooking supply chain risk. In early 2020, Solarwinds, a Texas-based IT management company, had their systems hacked with malicious code added to the popular Orion software product. Seemingly innocent software updates were responsible for infecting many high-end Solarwinds customers. The largest healthcare breach of 2020 occurred when a significant number of nonprofits using a fundraising platform designed by the cloud computing vendor Blackbaud had sensitive data stolen and held hostage. This famous ransomware supply chain attack negatively impacted approximately two dozen healthcare providers and 10 million patients.
Today, organizations rely heavily on third-party vendors and suppliers for products and services–probably more now than ever as outsourcing has become the wave of the present. Companies depend on extensive supply chain networks to run their businesses, operate efficiently, and serve customers.
Why are supply chain risks so difficult to identify?
Think about it–how well do you know your suppliers and vendors? Organizations using third-party supply chains to acquire products and services face a lot of unknowns. Acquirers often don’t know how purchased technology is developed, integrated, and deployed or how providers deliver services. Also, most organizations have limited visibility into their supply chain’s security and compliance policies and practices. Here is a telling statistic – 69% of organizations admit they don’t have full visibility into their vendors’ security practices.
Supply chains can introduce risk to your organization in numerous ways, and below are a few common means of entry and how they affect victims:
Today, organizations choosing to ignore the security posture of their supply chain do so at their own peril. The consequences of such oversight can easily result in a breach with a heavy price tag today–according to IBM’s Cost of Data Breach Report 2021, the financial hit of suffering a breach has now reached 4.24 million. These weighty economic costs can include recovery, downtime, lost revenue, and potential fines and penalties for regulatory violations. All this, in addition to your company’s name being splashed across the news and the resulting fallout and reputational damage.
What is the purpose of NIST SP 800-161?
NIST SP 800-161 provides a trusted source of directional guidance on identifying, assessing, and mitigating supply chain risks for all types of businesses and organizations. This guideline is uniquely helpful in integrating C-SCRM into established risk management activities by applying a multi-level, C-SCRM-specific approach. NIST SP 800-161 provides in-depth instruction on creating C-SCRM strategy plans, policies, implementation, and risk assessments for products and services. The NIST SP 800-161 document was revised in both April and October of 2021, with the final version expected to be released in Q3 of 2022.
The introduction section of NIST SP 800-161 outlines the document’s purpose, introduces target audience profiles, and discusses owner/operator and supplier/enterprise relationships concerning C-SCRM.
The second section dives into the governance, organizational structures, roles, responsibilities, and activities performed across all three C-SCRM levels. Recent history shows us the critical importance of managing supply chain risk and making it a central pillar in any organization’s overall risk management program. Section 2 explains the integration of C-SCRM with the enterprise-wide risk management processes described in NIST SP 800-39, including the continuous and iterative steps of framing, assessing, responding to, and mitigating risk.
Section 2 also builds a business case for C-SCRM, discusses risk in supply chains, and explains the three-tiered, multi-level risk management approach created to ensure a seamless C-SCRM process. Each level contains stakeholders from multiple disciplines, including information security, engineering, HR, and legal, to collectively execute and continuously improve C-SCRM activities. Level 1 is the executive tier focusing on managing C-SCRM across the enterprise with high-level strategy, policy, and implementation planning. Level 2 is the mission business process tier focusing on directing activities on the mission business level with mid-level C-SCRM strategies, policies, and implementation plans. Level 3 is the operational tier focusing more on granular execution strategies and C-SCRM plans.
Section 3 of NIST SP 800-161 provides an in-depth look at the critical success factors required for any C-SCRM program. This section discusses the integration of C-SCRM into acquisition, supply chain info sharing, awareness and training, key practices, implementing measurement controls, and dedicating resources to your C-SCRM program.
What types of organizations would benefit from using NIST SP 800-161 guidance?
Any business or organization engaging third-party vendors or suppliers with whom they share sensitive customer or patient information can benefit from following NIST SP 800-161 guidelines. For instance, retail or e-commerce businesses storing sensitive customer information with card processors or cloud service providers; healthcare organizations using email providers, coding services, or cloud storage vendors to assist in the storing or transmitting of sensitive patient records; and banking or financial service companies buying software products for marketing, accounting, or security services. Ultimately, if your company does business with any suppliers or vendors that can access sensitive customer or patient information, now’s the time to become familiar with the guidance found in the NIST SP 800-161 framework.
What are the critical success factors for a supply chain risk management program?
Ready to begin building your organization’s supply chain risk management program? Below are the critical success factors your team should use as guidelines for program success:
Integrating C-SCRM with acquisition
Sharing supply chain information
Build a process to gain agreement from your suppliers, business partners, and peer enterprises to share supply chain risk information. This way, your organization can leverage the collective experience, knowledge, and capabilities of a sharing community to gain a complete understanding of the threats your company may face.
Initiating C-SCRM Training and Awareness
Many individuals within your organization contribute to the success of C-SCRM. These may include but are not limited to information security, procurement, risk management, engineering, software development, IT, legal, and HR. Examples of these group’s contributions include:
Everyone in your organization, including the end-users of information systems, has a role in managing cybersecurity risk in the supply chain. Thus, your organization needs to use various communication methods to foster an understanding of the importance of C-SCRM, their specific roles and responsibilities, and the proper channels for reporting incidents.
Individuals with more significant roles in managing cybersecurity risk in the supply chain should receive tailored training, helping them understand the scope of their responsibilities, specific processes, and procedure implementation for which they are responsible. This training must include the action steps necessary in the event of an incident, disruption, or other C-SCRM-related event.
Implementing fundamental practices
The following are the essential core practices of any risk management program:
- Establish a centralized, dedicated, multi-disciplinary C-SCRM Program Management Office team
- Create a standard process for conducting risk assessments
- Develop a process for identifying and measuring the criticality of the organization’s suppliers, products, and services
- Raise awareness and foster understanding of C-SCRM and why it’s vital
- Make sure C-SCRM is incorporated into your procurement policies and procedures
- Establish consistent, well-documented processes to determine supplier impact levels
- Use supplier risk assessment processes on a prioritized basis after defining vendor impact levels
- Establish clear collaborative and discipline-specific roles, accountabilities, structures, and processes for supply chain, cybersecurity, product security, and other relevant functions such as legal, risk executive, HR, finance, IT, system engineering, information security, and procurement
- Dedicate adequate resources to information security and C-SCRM, ensuring proper implementation of policy, guidance, and controls
- Implement a tailored set of security controls using NIST SP 800-53 Revision 5 and Security and Privacy Controls for Information Systems and Enterprises as references
- Implement internal checks and balances ensuring compliance with security and quality requirements
- Implement an incident response management program so your incident response team can identify the root cause of security incidents, including those originating from your supply chain
- Establish internal processes validating that suppliers and service providers are actively identifying and disclosing vulnerabilities in their products
Measuring the effectiveness of your C-SCRM program
Measuring the performance of your C-SCRM program provides multiple organizational and financial benefits, like increasing stakeholder accountability for C-SRM performance, improving the effectiveness of C-SCRM activities, demonstrating compliance with laws and regulations, providing quantifiable input for resource allocation decisions, and the cost avoidance associated with reducing the impact or likelihood of a cyber-supply chain incident.
Below are several ways of measuring and managing the effectiveness of your C-SCRM program:
To stay on top of cybersecurity risk in the supply chain, your organization must dedicate adequate funds toward the effort. Securing and assigning C-SCRM funding is a sign of leadership’s commitment to the importance of C-SCRM and its relevance to economic security, thus ensuring the protection, continuity, and resilience of mission and business processes and assets.
What are critical C-SCRM security controls?
Let’s begin by asking a critical question: what specific C-SCRM security controls should your organization have in place?
NIST defines security controls as the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
NIST SP 800-53 defines multiple cybersecurity supply chain-related controls within the catalog of information security controls.
NIST SP 800-161 Appendix A: C-SCRM Security Controls
Controls identifies and augments C-SCRM-related controls with supplemental guidance, providing new controls as appropriate. The security control families that your team should become familiar with include the following:
Supplier’s system access must be managed to prevent unauthorized release, modification, or destruction of information. Access should be limited only to the necessary type, duration, and level for authorized enterprises and monitored for impact on the supply chain.
This family expands the Awareness and Training control of FIPS 200 to include C-SCRM. It discusses the training component behind understanding supply chain security challenges and the appropriate processes and controls to mitigate cybersecurity risk in the supply chain.
Information system audit records must be created and stored to monitor, investigate, and analyze unlawful or inappropriate system activity. This control also monitors and traces all system users’ actions.
Information system controls must be assessed periodically to ensure correct function, and plans to correct any deficiencies and eliminate potential vulnerabilities must be developed and implemented. Information systems must also be continually monitored to ensure the effectiveness of controls.
Baseline configurations and inventories of information systems (e.g., hardware, software, firmware, documentation) must be established throughout the system development life cycle (SDLC). Additionally, security configuration settings must be created for all information system products.
Guidelines must be created to establish and implement plans covering emergency response, backup operations, and post-disaster recovery for information systems and supply chains.
System components must be identified and authorized in addition to individuals and processes acting on behalf of individuals within the supply chain network.
Effective incident handling capability must be established within information systems and supply chains, including adequate preparation, detection, analysis, containment, recovery, and user response activities. All incidents must be tracked, documented, and reported to appropriate officials and authorities.
Maintenance must be performed on information systems while providing adequate controls for the tools, techniques, mechanisms, and personnel involved. C-SCRM should be applied to maintenance, including assessing cybersecurity risk in the supply chain, selecting C-SCRM controls, implementing these controls, and continued monitoring to ensure proper function.
Paper and digital media must be protected across the supply chain with access limited to authorized users. Additionally, all system media must be sanitized or destroyed before disposal.
Physical access to information systems, equipment, and operating environments must be limited to authorized personnel, while physical assets, infrastructure, and information systems within the supply chain must be safeguarded from environmental hazards.
Security plans must be developed, documented, implemented, and updated for supply chain information systems that describe current security controls and set the behavior guidelines for individuals accessing the systems.
Minimum security control requirements aren’t specified by FIPS 200 for program management. However, any program management controls should be applied in a C-SCRM context, providing guidance and feedback for enterprise-wide C-SCRM activities. These controls should apply across the entire enterprise while supporting an overarching information security program.
Ensures individuals in positions of responsibility meet established security criteria for those positions and protects supply chain information systems during personnel moves like terminations and transfers. Imposes formal sanctions for those failing to comply with personnel security policies.
This is a new control family, explicitly developed to address the processing and transparency concerns of personally identifiable information (PII) within supply chains. Enterprises must build their PII processing and transparency policies and procedures with an eye on supply chain risk management and system security.
Risk to organizational operations, assets, and individuals resulting from the operating of information systems must be periodically assessed in light of maintaining effective supply chain risk management.
Sufficient resources must be allocated to adequately secure organizational information systems and ensure all third-party suppliers follow similar protocols to protect the information, applications, products, and services outsourced from the company.
Organizational communications must be monitored, controlled, and protected at both internal and external information system boundaries, employing architectural designs, software development techniques, and systems engineering principles to deliver adequate information security.
Teams must monitor information security alerts and take appropriate action to identify, report, and correct system flaws quickly. This includes protecting against malicious code at appropriate locations within information systems.
FIPS 200 doesn’t specify minimum security requirements for supply chain risk management. NIST SP 800-53 Rev. 5 established this as a new control family with SP (800-161 R1), including all SR control enhancements from SP 800-53 Rev. 5 regarding supply chain risk management.
Who should be involved in a cybersecurity supply chain risk management program?
As an organization attempting to manage supply chain risk, you must keep in mind that building and operating a successful C-SCRM program is a complicated and challenging undertaking. The process will require a cultural transformation fueled by a tri-layered, team-oriented, multi-disciplinary approach. C-SCRM must be supported by the committed engagement of a wide array of your internal stakeholders infusing perspectives from all disciplines and the cooperation and assistance of external stakeholders like suppliers, developers, and system integrators.
To maximize the effectiveness of your C-SCRM program in controlling supply chain risk, you will want to use a multi-level, enterprise-wide risk management approach to define roles and assign responsibility. These are the three levels your organization needs to include:
Executive leadership (Level 1)
Composed primarily of C-suite positions, will frame risk for the enterprise and set the risk appetite. They will orchestrate risk management from the top down by defining enterprise C-SCRM strategy and high-level implementation plans, policies, goals, and objectives. The executive level will also form and institute governance structures and operating models while taking the lead in making enterprise-level CSCRM decisions. Finally, Executive leadership leads the creation of a C-SCRM Program Management Office (PMO).
Business management (Level 2)
Composed of Program Management [PM], Research and Development [R&D], Engineering [SDLC oversight], Acquisition and Supplier Relationship Management/Cost Accounting, and other management related to reliability, safety, security, and quality as well as the C-SCRM PMO. This second level will frame and manage enterprise risk related to the mission/business process. They are also responsible for developing mission and business process-specific strategy, procedures, guidance, constraints, and implementation plans. Business management should collaborate with the C-SCRM PMO while reporting on C-SCRM to Level 1 and acting on reports from Level 3.
Systems Management (Level 3)
Comprised of architects, developers, System Owners, QA/QC, test contracting personnel, C-SCRM PMO staff, control engineers, and control system operators. Systems Management is responsible for developing C-SCRM plans while implementing C-SCRM policies and requirements. They must adhere to constraints provided by both Level 1 and 2 while providing reports on C-SCRM to Level 2. Systems Management’s most critical role in managing risk may be tailoring C-SCRM to the context of individual systems and applying it throughout the SDLC.
Ready to get your C-SCRM program up and running?
In a centralized model, you can concentrate and assign certain C-SCRM activities to a central PMO. The PMO acts as a service provider for other business processes and groups. The PMO could provide beneficial services such as:
If you choose a decentralized model for your C-SCRM program, more responsibility will fall on the individual stakeholders within the three levels–Executive Leadership, Business Management, and Systems Management. A decentralized model lacks the oversight and coordination provided by a PMO. Smaller organizations with fewer resources and processes to manage may benefit from this type of model. Also, keep in mind that a hybrid model exists if your organization wants to maintain some degree of central control but not commit to a fully centralized approach. Ultimately, ownership and accountability for supply chain risk lie with organizational leadership. Base the model you choose to operationalize your C-SCRM program on available resources and management’s preferred approach.
NIST SP 800-161 Appendices
Whichever model your organization selects to guide your C-SCRM program, it’s essential to become familiar with the appendices provided in the NIST SP 800-161 document. These appendices provide additional information and guidance to help your organization design and implement an effective C-SCRM program.
How Hyperproof Supports Cybersecurity Supply Chain Risk Management
Hyperproof’s compliance operations software helps organizations implement a robust cyber supply chain risk management program. Sign up for a personalized demo to see how you can use Hyperproof to manage a C-SCRM program efficiently.
Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get NIST CSF ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.