Broker Check

Key Practices in Cyber Supply Chain Risk Management

April 09, 2021

NIST has released a publication (IR 8276) listing eight key practices in cyber supply chain risk management (C-SCRM). Supply chains are often the weak link in cyber security, so every organization should be aware of and follow these practices.

As described by Navarasu Dhanasekar of Ampcus Cyber ( here is NIST's list:

  1. Integrate C-SCRM across the organization, including all stakeholders.
  2. Establish formal policies and procedures.
  3. Know and manage critical components and suppliers with the greatest impact on the organization.
  4. Understand the supply chain, including sub-suppliers at all levels.
  5. Closely collaborate with key suppliers.
  6. Include key suppliers in resilience and improvement activities. Plan for all disruptions not limited to cyber attacks.
  7. Continuously monitor the relationship.
  8. Plan for supply chain interruptions such as ending support of obsolete hardware and software, discontinuing production or changes in supplier ownership or management. Keep a reserve of critical components.