Key Considerations for Successful Cybersecurity Supply Chain Risk Management (C-SCRM)

What is C-SCRM

Cybersecurity Supply Chain Risk Management (C-SCRM) is the strategic process of identifying, assessing, and mitigating risks associated with the information and communication technology (ICT) supply chain. Virtually every technical asset, whether hardware or software, is the result of highly complex, distributed technology supply chains involving dozens of entities including manufacturers, suppliers, sub-suppliers, system integrators, and more. This creates many opportunities for cybersecurity risk both intentional (e.g. counterfeit products, insertion of malicious code) and unintentional (e.g. accidental vulnerabilities resulting from software defects). 

C-SCRM is a critical discipline designed to address these risks and safeguard the integrity and availability of digital assets throughout their lifecycle. According to NIST’s C-SCRM project, it includes “identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction).” 

Who is Responsible for C-SCRM?

NIST’s Cybersecurity Framework 2.0 notes that the “primary objective of C-SCRM is to extend appropriate first-party cybersecurity risk management considerations to third parties, supply chains, and products and services…” As such, C-SCRM requires enterprises and government agencies to implement the appropriate controls and procedures to identify, assess, and respond to risks from their technology supply chains. 

C-SCRM requires organization-wide collaboration and coordination, often involving many job roles and functions. This can include the need for IT, vendor risk management, and procurement teams to evaluate prospective vendors and products in terms of their supply chain risk and to verify that all received assets match vendor-supplied software bills of materials (SBOMs). Security and vulnerability management teams will need to regularly assess assets to verify the integrity of all critical components and code and to identify any vulnerabilities or misconfigurations. Incident response teams will need to include procedures to mitigate supply chain risks when they are identified. 

Key Steps for C-SCRM 

NIST’s Cybersecurity Framework 2.0 addresses cybersecurity supply chain risk management within the new GOVERN function (GV.SC) as well as within the IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER functions as follows:

  • Identify: Identifying, validating, and recording vulnerabilities associated with the supplier’s product or service [ID.RA-01] 
  • Protect: Authenticating users, services, and hardware [PR.AA-03]; applying appropriate configuration management practices [PR.PS-01]; generating log records and having the logs available for continuous monitoring [PR.PS-04]; and integrating secure software development practices into the supplier’s software development life cycles [PR.PS-07]
  • Detect: Monitoring computing hardware and software for potentially adverse events [DE.CM-09]
  • Respond: Executing incident response plans when compromised products or services are involved [RS.MA-01]
  • Recover: Executing the recovery portion of the organization’s incident response plan when compromised products or services are involved [RC.RP-01], and restoring compromised products or services and verifying their integrity [RC.RP-05]

Read our blog post on NIST CSF guidance on setting up C-SCRM policies and integrating those into cybersecurity and enterprise risk assessment practices.

Implementing C-SCRM Using Eclypsium

Eclypsium protects the digital supply chain and gives enterprises tools to verify that the devices they buy are authentic, free from vulnerabilities, and haven’t been tampered with at any point.

With a simple scan, organizations can verify the integrity of new devices and have detailed insight to hold suppliers accountable.

  • Evaluate IT Product Security – Eclypsium audits your prospective devices and other IT infrastructure products to verify exactly what’s inside and to identify potential security issues.
  • Verify Digital Supply Chain Integrity – Eclypsium authenticates suppliers and sub-suppliers, ensuring authenticity, security, and compliance.
  • Discover and Monitor Firmware SBOMs – Know what’s in your code, proactively identifying known threats such as implants, backdoors, and malware.
  • Screen Updates and Patches – Automatically screen every update, before you apply it, so you can keep your devices running for a longer, more reliable lifespan.

To learn more, visit our Supply Chain Security solutions page.