Cybersecurity Supply Chain Risk Management (C-SCRM) Is More Than Just An American Problem.
The Defense Industrial Base (DIB) and Federal Supply Chain (FSC) are Global.
C-SCRM Requires A Global Solution That Can Adapt & Scale To Meet This Challenge.
Focused On Operationalizing Cybersecurity Supply Chain Risk Management (C-SCRM)
According to the National Counterintelligence Strategy of the United States (years 2020-2022), the strategic objective for supply chain security is to: “Reduce threats to key U.S. supply chains to prevent foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. Government, the Defense Industrial Base, and the private sector."
There is a lot of invaluable information on the Internet about what C-SCRM is from authoritative sources, such as the US National Institute of Standards and Technology (NIST), the US Department of Homeland Security (DHS), the Cybersecurity & Infrastructure Security Agency (CISA), the US National Counterintelligence and Security Center (NCSC) and many others. "Meta SCRM" simply means "about SCRM" and this site is designed to be a form of neutral clearinghouse for SCRM-related material. The issue we are trying to solve is how to operationalize C-SCRM practices, so that organizations have actionable plans that can be implemented to both secure their internal processes and assess/mitigate risks within their supply chain. The goal is for organizations to be both secure and compliant with their obligations.
At the heart of C-SCRM are nation-state "bad actors" and the United States Trade Representative’s Special 301 Report Priority Watch List identifies 10 countries (including China and Russia) on its Priority Watch List, as well as an additional 23 countries on its Watch List. This list of countries sets the stage for identifying potential geography-based threats that can directly or indirectly impact the confidentiality, integrity, availability and safety of an organization's supply chain. Additional scrutiny is required for products and services (1) produced by entities located within those countries or (2) by organizations that have ownership or other Conflict of Interest (COI) concerns with governments listed on those watch lists.
C-SCRM Is A Perception Problem Where False Assumptions Have Real-World Implications
Provenance is the technical means to maintain evidence-based integrity of products and services across an asset's lifecycle. It is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Provenance helps eliminate false assumptions by governing the integrity of the asset across its lifecycle.
Currently, the are no clear US laws or regulations that mandate suppliers provide multi-tier transparency of supply chains. The closest requirements are narrowly-focused on Controlled Unclassified Information (CUI) as part of several Defense Federal Acquisition Regulation Supplement (DFARS) clauses and Federal Acquisition Regulation (FAR) 52.204-21(2).
C-SCRM is the process of identifying, assessing, and mitigating the risks to the integrity, trustworthiness, and authenticity of products and services within the supply chain. This is often directed at Information and Communications Technology (ICT) that scopes:
Primary suppliers (e.g., direct contract with the acquiring organization);
Tiers of suppliers that support prime suppliers by providing products and services, and
Any entities linked to those tiered suppliers through commercial, financial or other relevant relationships.
A properly scoped C-SCRM program assesses (1) internal risks that are native to every organization and (2) external risks that stem from the third-parties that produce products and/or provide services that make up the acquiring organization's supply chain.
For example, an Internet enabled "smart meter" has more than just software that can be configured, but firmware and hardware that includes microprocessors. Therefore, assessing the supply chain risks associated with smart meters is more than evaluating the functionality and features of the end-product, but the components that come together to make up the end-product.
A successful C-SCRM program is the embodiment of Zero Trust Architecture (ZTA), where there is no such thing as a "trusted third party" since trust is a luxury that C-SCRM cannot afford. ZTA's goal is to minimize the negative impact of any product or service from being used in a malicious manner. While, C-SCRM relies on ZTA principles to architect, build and maintain secure systems, applications, services and networks, SCRM also relies on the concept of "provenance" where every system and system component has a point of origin and may be changed throughout its existence.