Article
NIST SP 800-161 aims to reshape supply chain risk management: What does it mean for government contractors?
May 25, 2021 · Authored by Matt Gilbert, Leo Alvarez, Jeff K. Clayton
On April 29, 2021 the National Institute of Standards and Technology (NIST) unveiled an initial public draft of its first major revision to Special Publication 800-161, Cyber Supply Chain Risk Management Practices for Systems and Organizations. The publication represents NIST’s flagship framework to evaluate supply chain security for federal agencies and has not been revised since its original publication in April 2015. While federal agencies were the intended audience for the original publication, NIST has stated that the revised framework is designed to be adapted by a wide variety of organizations in assessing supply chain risk management (SCRM) processes and controls.
Federal contractors, in particular, are expected to reap benefits from the rollout of the revised publication. These organizations have been challenged in recent years to adapt their legal and compliance strategies to growing regulatory measures seeking to alleviate concerns over data security and vulnerabilities in the information and communications technology (ICT) supply chain. The call to resolve these issues has been accelerated by supply chain infiltrations like the SolarWinds event, cyber espionage by foreign governments and other unexpected events that have created supply chain bottlenecks and significant business continuity issues (e.g. the COVID-19 pandemic, the Suez Canal incident and the colonial pipeline cyberattack). Companies that work closely with the government are expected to be more vigilant than ever in protecting and ensuring the security of their supply chain.
Understanding the criticality of this issue, federal contractors would be wise to consider the updates found in this latest draft revision and provide comment to NIST by the due date (June 14, 2021) in order to help shape the final publication. NIST anticipates releasing a second draft in September 2021 and a final version by April 2022.
Specifically, the revision incorporates a number of important changes intended to reshape how federal agencies think about and monitor risks to increasingly complex and globally distributed supply chains. A summary of several important changes include:
- Conceptual refinements: Distinguishes between “supply chain” and “cyber supply chain” as distinct concepts, which may not have been previously apparent:
- Supply chain refers to the linked set of resources and processes between and among multiple levels of enterprises, each of which is an acquirer that begins with the sourcing of products and services and extends through their life cycle.
- Cyber supply chain refers to the linked set of resources that can be subject to cyber supply chain risks from suppliers, their supply chains and their products or services. - Refines the cyber supply chain risk management (C-SCRM) definition: Setting forth risk management guidance that applies to both information technology (IT) and operational technology (OT) environments, NIST defines C-SCRM as the “systematic process for managing cyber supply chain risk exposures, threats and vulnerabilities throughout the supply chain and developing response strategies to the cyber supply chain risks presented by the supplier, the supplied products and services or the supply chain.”
- C-SCRM key practices: Provides for an initial formulation of a “maturity model” – outlining increasingly advanced practices at three implementation levels: foundational, sustaining and enhancing C-SCRM practices. The guidance makes clear that robust C-SCRM cannot be achieved without reaching a base level of maturity prior to focusing on more advanced C-SCRM capabilities.
- Enterprise risk management (ERM) integration: Provides for better integration of C-SCRM into broader, organization wide risk management (including NextGen C-SCRM controls);
- C-SCRM program management: Provides for guidance on the development of a PMO function with consideration for resource and budget constraints so that organizations can design a PMO function that is “fit for purpose”’;
- Critical success factors: Provides for a set of organizational processes and capabilities that should be in place in order to make C-SCRM successful. These “critical success factors” include:
- Integrating C-SCRM considerations into acquisition activities;
- Integrating supply chain information sharing into C-SCRM program (including establishing information-sharing agreements with peer organizations, business partners and suppliers);
- Integrating C-SCRM training and awareness and aligning to unique organizational roles;
- Integrating C-SCRM metrics in order to measure programmatic success;
- Identifying and dedicating the appropriate resources (personnel and funds) to C-SCRM programmatic efforts. - C-SCRM templates: Provides for several templates intended to ease operational/programmatic implementation, including:
- C-SCRM strategy and implementation plan
- C-SCRM policy
- C-SCRM plan
- Cyber supply chain risk assessment
Baker Tilly is here to help
Baker Tilly is here to assist with solidifying your C-SCRM practices, performing a gap assessment or other evaluation procedures to assess your risk. We also can help you understand the aspects of this new guidance that are applicable to your organization, while helping you best allocate time and resources to understand what is “fit for purpose” for your C-SCRM program.
Additionally, your organization may require a C-SCRM plan, either now or in the future. These plans explore the processes you currently have in place to manage your third party risk and oftentimes require an in-depth understanding of governmental standards. We regularly assist organizations with preparing SCRM plans in order to avoid complications that may arise with federal review and evaluation of these plans.
As the pandemic and recent supply chain “shocks” make clear, risk management procedures and business continuity plans can be tested at any time. Federal contractors should look to develop an effective C-SCRM program that puts the systems, policies and processes in place that will allow them to effectively mitigate and manage ongoing supplier risks. Baker Tilly stands ready to support your organization.
For more information on this, or to learn how Baker Tilly specialists can help – please contact us.