Biblio

The NIST Cyber Supply Chain Risk Management (C-SCRM) program helps organizations to manage the increasing risk of cyber supply chain compromise, whether intentional or unintentional. The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits also increase the risk of a compromise to the cyber supply chain, which may result in risks to the end user. Managing cyber supply chain risks require ensuring the integrity, security, quality and resilience of the supply chain and its products and services. Cyber supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain.

Organizations are concerned about the risks associated with products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain. These risks are associated with an enterprise’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the security, resilience, reliability, safety, integrity, and quality of the products and services. This publication provides guidance to organizations on identifying, assessing, and mitigating cyber supply chain risks at all levels of their organizations. The publication integrates cyber supply chain risk management (C-SCRM) into risk management activities by applying a multi-level, C-SCRM-specific approach, including guidance on development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and C-SCRM risk assessments for products and services.