Brief History of Cybersecurity Supply Chain Risk Management (C-SCRM)

C-SCRM for Information Communications Technology (ICT) began in earnest in 2008. The US Government realized that for its own C-SCRM approach to be effective, it would require a strong public-private partnership. Currently, the US National Institute of Standards and Technology (NIST) is the authoritative source on C-SCRM-related matters and provides authoritative guidance on the subject for the US Government:

  • Section 1323 of the Secure Technology Act tasked NIST with identifying and recommending development of "supply chain risk management standards, guidelines and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks..."

  • Section 201.301(d) of the Federal Acquisition Supply Chain Security Act requires the Federal Acquisition Security Council (FASC) to consultation with NIST and participate in FASC activities as a member to advise the FASC on NIST standards and guidelines issued under 40 U.S.C. 11331, including ensuring that any recommended orders do not conflict with such standards and guidelines.

 

The NIST Cyber Supply Chain Risk Management (C-SCRM) program started in 2008, when it initiated the development of C-SCRM practices for non-national security systems, in response to Comprehensive National Cybersecurity Initiative (CNCI) #11, "Develop a multi-pronged approach for global supply chain risk management." Since then, NIST has worked with diverse stakeholders from across government, industry and academia to identify and evaluate effective technologies, tools, techniques, practices and standards useful in securing the cyber supply chain. NIST has and continues to research the state of C-SCRM in both the public and private sectors, related standards and initiatives, effective practices and metrics. In addition, NIST has given several grants to conduct research in this area as well as to develop a web-based risk assessment and collaboration tool.

 

NIST's approach to C-SCRM encompasses the following key points:

  • Foundational Practices: C-SCRM lies at the intersection of cybersecurity and supply chain risk management. Existing cybersecurity and supply chain practices provide a foundation for building an effective C-SCRM program.

  • Organization-Wide: Effective C-SCRM is an organization-wide activity that involves each organizational tier (Organization, Mission/Business Processes and Information Systems), various organizational functions (cybersecurity, supply chain management, acquisition/procurement, legal, engineering, etc.) and is implemented throughout the system development life cycle.

  • Risk Management Process: C-SCRM should be implemented as part of overall enterprise risk management activities. Activities should involve identifying and assessing applicable risks, determining appropriate mitigating actions, developing an C-SCRM Plan to document selected policies and mitigating actions and monitoring performance against that Plan. Because cyber supply chains differ across and within organizations, the C-SCRM Plan should be tailored to individual organizational contexts.

  • Risk: Cyber supply chain risks are associated with a lack of visibility into, understanding of and control over many of the processes and decisions involved in the development, acquisition and delivery of IT/OT products and services.

  • Threats and Vulnerabilities: Effectively managing cyber supply chain risks requires a comprehensive view of threats and vulnerabilities. Threats can be either "adversarial" (e.g. tampering, counterfeits) or "non-adversarial" (e.g. poor quality, natural disasters); vulnerabilities may be "internal" (e.g. organizational procedures) or "external" (e.g. part of an organization’s supply chain).

  • Critical Systems: Cost-effective supply chain risk mitigation requires agencies to identify those systems/components that are most vulnerable and will cause the greatest organizational impact if compromised

Globabl Supply Chain - Blank.png

C-SCRM History timeline

2008

  • NIST’s ICT SCRM program started in 2008, when it initiated the development of ICT SCRM practices for non-national security information systems, in response to Comprehensive National Cybersecurity Initiative (CNCI) #11, “Develop a multi-pronged approach for global supply chain risk management.” CNCI-SCRM was tasked under National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23. The intent of CNCI-SCRM was to provide the US Government with robust toolset of SCRM methods and techniques.

2010

  • The White House released Executive Order (EO) 13556 that established Controlled Unclassified Information (CUI). The EO established a US Government-wide program for managing CUI.

2012

  • NIST released a precursor to NIST SP 800-161 with the publishing of NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems.

2013

  • From CNCI #11, sprang the 2013 draft of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

  • Several articles were published in 2013 about “US spy agencies” blacklisting Lenovo PCs due to backdoor concerns. This supposedly led to a discrete “shadow ban” by several western nations against the Chinese firm Lenovo for supply chain-related risks.

2015

  • NIST published the official release of NIST SP 800-161 to provides federal agencies with guidance to develop the appropriate policies, processes and controls to effectively manage ICT-related supply chain risk. It was designed to be flexible and builds on existing US Government information security practices (e.g., NIST SP 800-53).

    • Risk Management: NIST SP 800-161 details a set of processes for evaluating and managing supply chain risk. These processes are integrated into the NIST SP 800-39’s Risk Management Process (Frame, Assess, Respond and Monitor) and should be implemented as part of agencies’ overall risk management activities.

    • Extended Overlay: Several controls in Appendix F of NIST SP 800-53 Rev. 4 can help with ICT supply chain risk mitigation. Chapter 3 of NIST SP 800-161 identifies these controls and provides supplementary guidance for their application to ICT SCRM. Additional controls assist organizations in developing more robust and complete ICT SCRM mitigation strategies.

    • Threat Scenarios and Risk Framework: Understanding and evaluating ICT SCRM threats supports a cost-effective risk mitigation strategy. NIST SP 800-161 lists applicable threat events and provides a risk framework for assessing threats and identifying mitigation responses—one method for evaluating interdependencies and the potential impact of an event.

    • ICT SCRM Plan: NIST SP 800-161 provides a template for developing ICT SCRM plans that address the entire system development life cycle.

  • NIST published the official release of NIST SP 800-171Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

2016

  • NIST published the official release of NIST SP 800-171 R1.

2017

  • DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, and 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, establish regulation to require NIST SP 800-171 compliance.

  • DHS issued Binding Operational Directive (BOD) 17-01 (removal of Kaspersky-branded products), where DHS, in consultation with interagency partners, determined that the risks presented by Kaspersky-branded products justify issuance of a BOD to remove Kaspersky from Federal/DoD networks.

2018

  • NIST SP 800-171 compliance requirements became effective on 1 January 2018 (via DFARS clauses).

  • DHS established the ICT SCRM Task Force with representatives from the public and private sectors to identify challenges and develop workable solutions for managing risks to the global ICT supply chain.

  • Section 1323 of the Secure Technology Act tasked NIST with identifying and recommending development of "supply chain risk management standards, guidelines and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks..."

2019

  • Executive Order (E.O.) 13873 on Securing the Information and Communications Technology and Services Supply Chain was signed into law. EO 13873 directs the federal government to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.

  • The DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) created the Cybersecurity Maturity Model Certification (CMMC). This included a “CMMC Listening Tour” that was intended to solicit feedback from key stakeholders.

2020

  • NIST published the official release of NIST SP 800-171 R2.

  • DoD OUSD(A&S) formally recognized the CMMC Accreditation Body (CMMC-AB) with a Memorandum of Understanding (MOU) then no-cost contract.

  • CMMC version 1.0 was released in January 2020, quickly followed with a CMMC v1.02 release.

  • NIST published the official release of NIST SP 800-53 R5.

  • Section 201.301(d) of the Federal Acquisition Supply Chain Security Act (FASCSA) requires the Federal Acquisition Security Council (FASC) to consultation with NIST and participate in FASC activities as a member to advise the FASC on NIST standards and guidelines issued under 40 U.S.C. 11331, including ensuring that any recommended orders do not conflict with such standards and guidelines.

2021

  • NIST released a new version of NIST SP 800-171 R2 to add clarification, which included scoping guidance for systems and services that provide security protections for CUI.

  • DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirement, officially requires the DIB to comply with CMMC.

2022

  • NIST released a new version of NIST SP 800-161 R1 that is the new "gold standard" for C-SCRM practices.