Operationalizing Supply Chain Risk Management (SCRM)

Operationalizing Cybersecurity Supply Chain Risk Management (C-SCRM)

An organization's executive leadership team drives the success of C-SCRM. On a day-to-day basis, cybersecurity merely has a supporting role, where an organization's non-technology leadership team is the leading factor in the success of a SCRM program. When you start looking at how do you "do C-SCRM" in a practical manner, it is more than just a control set, where a C-SCRM program needs to have authority over several key business functions that impact supply chain security:

  • Secure Development Practices

  • Procurement Practices

  • Risk Management Practices

  • Systems, Applications & Services Management Practices 

SCRM - Supply Chain Risk Management (SCR

C-SCRM Program - Operational Leadership

For C-SCRM to be successful, operational leadership is essential. This “active participation” by a Chief Supply Chain Officer (CSCO), and his/her staff, ensures that processes are effectively carried out on a day-to-day basis. In many industries, the CSCO is often designated as the Chief Operations Officer (COO). Regardless of the official title, the CSCO is responsible for internal and external supply chain processes. This scope ranges beyond simple logistics and manufacturing activities to include:

  • Innovation and development.

  • Onboarding new technologies/services.

  • Business operations (e.g., manufacturing, service delivery, etc.).

  • Business Continuity & Disaster Recovery (BCDR).

  • Third-party relationship onboarding and management (e.g., vendors, service providers, contractors, etc.).

  • Decommissioning technologies, services and third-party relationships.


Efficient operational leadership requires the organization to structure roles that are complementary and not counterproductive. For the CSCO role to be successful in executing the organization’s SCRM program:

  • The CSCO needs to report directly to the organization’s Chief Executive Officer (CEO) to eliminate conflicts of interests among leadership representing Lines of Business (LOB) within the organization.

  • The CSCO must be able to influence cybersecurity and data protection controls by being part of the organization’s cybersecurity steering committee.

  • Due to the reliance on risk management practices and the underlying cybersecurity and data protection controls that enable a SCRM program to function, the Chief Information Security Officer (CISO) should directly report to the CSCO.

  • Due to the supply chain nature of DevSecOps, the Chief Technology Officer (CTO) role should directly report to the CSCO.

  • Due to the external focus of the SCRM program, the Chief Contracting Officer (CCO) role should directly report to the CSCO to ensure contracts and procurement actions are in-line with the SCRM program.

  • Due to how technology is so integral to business operations, the Chief Information Officer (CIO) role should directly report to the CSCO.

  • The CISCO, CIO, CTO and CCO need to be viewed as peers, each with an equal role of importance in the SCRM program, where the CSCO provides operational leadership to orchestrate SCRM activities across the enterprise and its supply chain.

SCRM - SCRM Program Organization Chart.j

Hierarchical SCRM Management Structure [proposed organization chart]

C-SCRM Program - Secure Development Practices

C-SCRM is an enterprise-wide activity that is implemented throughout the System Development Life Cycle (SDLC). Within the concept of secure development practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

  • Maintain close working relationships through frequent visits and communications.

  • Mentor and coach suppliers on C-SCRM and actively help suppliers improve their cybersecurity and supply chain practices.

  • Invest in common solutions.

  • Require the use of the same standards within the acquirer organizations and by suppliers, thereby simplifying communications about cybersecurity risk and mitigations and helping to achieve a uniform level of quality throughout the ecosystem.


Resilience and improvement activities include:

  • Rules and protocols for information sharing between acquirers and suppliers.

  • Joint development, review and revision of incident response, business continuity and disaster recovery plans.

  • Protocols for communicating vulnerabilities and incidents.

  • Responsibilities for responding to cybersecurity incidents.

  • Coordinated communication methods and protocols.

  • Coordinated restoration and recovery procedures.

  • Collaborative processes to review lessons learned.

  • Updates of coordinated response and recovery plans based on lessons learned.

C-SCRM Program - Procurement Practices

C-SCRM lies at the intersection of cybersecurity and supply chain risk management. Existing supply chain and cybersecurity practices provide a foundation for building an effective Risk Management Program (RMP). Therefore, within the concept of procurement practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

  • Increased executive leadership or Board of Directors (BoD) involvement for establishing C-SCRM as a top business priority and to ensure proper oversight.

  • Clear governance of C-SCRM activities that includes cross-organizational roles and responsibilities with clear definitions and designation/distribution of these roles among enterprise risk management, supply chain, cybersecurity, product management and product security (if applicable) and other relevant functions appropriate for the organization’s business.

  • Leading framework-based policies, standards and procedures that provide guidance to different business units detailing their C-SCRM activities.

  • Same policies used internally and with suppliers.

  • Integration of cybersecurity considerations into the system and product development life cycle.

  • Use of cross-functional teams to address specific, enterprise-wide risks.

  • Clear definition of roles of individuals responsible for cybersecurity aspects of supplier relationships (which may be different than those responsible for procurement activities with specific suppliers).

  • Establishment of Centers of Excellence (CoE) to identify and manage best practices.

  • A set of measures of success used to facilitate decision-making, accountability and improvement.

  • Approved and banned supplier lists.

  • Use of software and hardware component inventory (e.g., bill of materials) for third-party components.

  • Prioritization of suppliers based on their criticality.

  • Establishment of testing procedures for the most critical components.

  • Establishment of a known set of security requirements or controls for all suppliers, especially robust security requirements for critical suppliers to be used in procurement (sometimes known as master specifications).

  • Service-Level Agreements (SLA) with suppliers that state the requirements for adhering to the organization’s cybersecurity policy and any controls required of the supplier.

  • Establishment of intellectual property rights agreements.

  • Shared supplier questionnaires across like organizations, such as within the same critical infrastructure sector.

  • Upstream propagation of acquirer’s security requirements within the supply chain to sub-tier suppliers.

  • Assurance that suppliers have only the access they need in terms of data, capability, functionality and infrastructure; bounding this access by specific time frames during which suppliers need it.

  • Use of escrow services for suppliers with a questionable or risky track record.

  • Provision of organization-wide training for all relevant stakeholders within the organization, such as supply chain, legal, product development and procurement; this training may also be extended to key suppliers.

  • Identification of alternative sources of critical components to ensure uninterrupted production and delivery of products.

  • Secure requirements guiding disposal of hardware that contains regulated data (e.g., CUI, FCI, PII, CHD, PHI, etc.) or otherwise sensitive information (e.g., Intellectual Property (IP)).

  • Protocols for securely terminating supplier relationships to ensure that all hardware containing acquirer’s data has been properly disposed of and that the risks of data leakage have been minimized.

C-SCRM Program - Risk Management Practices

C-SCRM needs to be implemented as part of an organization’s overall Enterprise Risk Management (ERM) activities (e.g., NIST SP 800-39 & NISTIR 8286). These risk management practices involve identifying and assessing applicable risks, determining appropriate response actions and developing a C-SCRM strategy. Within the concept of risk management practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

  • Activities should involve identifying and assessing applicable risks, as well as determining appropriate response actions.

  • Developing a C-SCRM strategy and implementation plan to document selected response actions and monitoring performance against that plan.

  • Manage risks. Cyber supply chain risk is associated with a lack of visibility into, understanding of and control over many of the processes and decisions involved in the development and delivery of cyber products and services.

  • Manage threats and vulnerabilities. Effectively managing cyber supply chain risks requires a comprehensive view of threats and vulnerabilities.

    • Threats can be either “adversarial” (e.g., tampering, counterfeits) or “non-adversarial” (e.g., poor quality, natural disasters).

    • Vulnerabilities may be “internal” (e.g., organizational procedures) or “external” (e.g., part of an organization’s supply chain).

C-SCRM Program - Systems, Applications & Services Management Principles

C-SCRM requires organizations to identify critical systems, applications and services, as well as sensitive data, that are most vulnerable and can cause the largest organizational impact if compromised. Within the concept of systems, applications & services management practices, in order to ensure C-SCRM is operational it takes the following to exist and be functional:

  • Developing Data Flow Diagrams (DFDs) that track where regulated data (e.g., CUI, FCI, PII, CHD, PHI, etc.) or “crown jewels” IP is stored, transmitted and processed.

  • Identifying suppliers that process regulated data or “crown jewels” IP.

  • Developing network diagrams that identify suppliers that have access to the acquirer’s system and network infrastructure.

  • Threat modeling to determine whether a supplier can become an attack vector by being compromised and allowing threat actors access to the acquirer’s organization.

  • For technology companies, whether a supplier can become an attack vector for the technology company’s products or services delivered to customers.

  • Controlling the volume of data a supplier has access to or hosts.

  • Monitoring the revenue contribution of suppliers (e.g., criticality).