What is the NIST Supply Chain Risk Management Program?

NIST (National Institute of Standards and Technology) is a federal agency under the responsibility of the US Department of Commerce. Established in 1901 to promote innovation and industrial competitiveness in the US, NIST helps organizations advance measurement science, technology, and standards to improve the quality of life for citizens and enhance economic security. 

The NIST Cybersecurity Supply Chain Risk Management (C-SCRM) program helps organizations manage cybersecurity supply chain risks more effectively by identifying, assessing, and mitigating the risks inherent to digital supply chains, which often run on a complex and interconnected ecosystem of distributed systems. 

The C-SCRM program covers the full life cycle, including development, design, deployment, distribution, acquisition, destruction, and maintenance phases. It does so by conducting research, providing resources, and convening stakeholders to help organizations manage the risks to their cybersecurity supply chains.

This is part of an extensive series of guides about the software supply chain.

In this article:

Cybersecurity risk in supply chains

For digital supply chains, cybersecurity risk is the potential damage or disruption that can result from attackers infiltrating vendors, supply chains, products, and services. 

Supply chain cybersecurity risk has always existed, but threat actors have sharply increased their attacks in the past several years, prompting warnings of increased risk from government agencies such as NIST, the Cybersecurity & Infrastructure Agency, and The European Union Agency for Cybersecurity, Threat actors have myriad attack avenues, including insider threats at system integrators who abuse their privileges to steal data, and attackers who breach development pipelines at respected software companies to insert malware into a new product release.

Supply chain cybersecurity vulnerabilities negatively impact a company in several ways:

• Reduction in service levels, customer dissatisfaction, or distrust
• Theft of intellectual property and sensitive data
• Disruption or sabotage of mission-critical business processes
• Compliance violations and fines

Not only are supply chain vulnerabilities sometimes difficult to ferret out, but the interrelated nature of modern digital supply chains can expose businesses to cascading risks. For example, the recent Log4j incident involved a critical vulnerability used in a very popular open source logging component. Possibly millions of organizations worldwide were impacted, either because Log4j was directly included in their software or indirectly included in a component or device they were using.

NIST supply chain risk management approach

NIST defines supply chain risk management as the practice of maintaining security, quality, resilience, and integrity standards for the entire supply chain, including all relevant services and products.

Managing cybersecurity risk in supply chains is a complex undertaking that touches on a wide range of organizational functions and processes. In particular, NIST focuses on: 

Foundational practices 

NIST places C-SCRM at the intersection of supply chain management and information security. Existing cybersecurity and supply chain practices offer a foundation for creating effective risk management programs.

Enterprisewide practices 

C-SCRM can only be effective if implemented as an enterprisewide activity. The program must involve all tiers, including the organization level, mission or business processes, and information systems. Organizations need to implement the program across the entire system development life cycle.

Risk management processes 

Integrating C-SCRM into an overall risk management strategy starts with assessing and identifying applicable risks to determine appropriate response actions. Organizations then use that assessment to build a C-SCRM strategy and implementation plan that documents specific response actions and monitors performance against the plan. There are two key components of this exercise: 

• Risks. Supply chain risks are typically associated with processes and decisions involving building and delivering cyber products and services. These issues are often caused by a lack of visibility into this process, poor understanding of the cycle, and no control over key processes and decisions.
• Threats and vulnerabilities. Effective supply chain risk management also requires a comprehensive view of the threats and vulnerabilities that derive from third-party sources. For example, many companies integrate open source software components into their codebase as they build applications. Organizations also need to maintain visibility over internal vulnerabilities caused by organizational procedures that occur in parts of the organization’s supply chain.

Critical systems 

Organizations can build a cost-effective strategy for supply chain risk mitigation by identifying the most vulnerable components or systems that can cause the biggest impact if compromised, and where possible, automatically remediate them. This requires the adoption and implementation of advanced security tools. There are seven imperatives for any supply chain risk management solution:

Accuracy: Users need to be confident that their solution will accurately detect and alert them to vulnerabilities without generating false positives.

Zero trust: Solutions should employ a zero-trust approach that requires every request for use or access of resources and data to be authenticated, authorized, and continuously validated for security compliance. In a zero-trust environment, every software is untrusted by default and measures are deployed to verify and secure all resources before access is granted.

Comprehensive coverage: Effective security solutions must integrate with a wide range of platforms and programming languages to maximize the scope of code they can check and to minimize the potential for overlooking flaws and vulnerabilities.

Speed: As the speed of the software development lifecycle (SDLC) accelerates and the volume of development rapidly grows, it becomes increasingly vital to rapidly find and fix vulnerabilities to avoid costly development delays.

Prioritization: The increasing volume of attacks on the application layer and the development process poses a challenge for security tools. Not all vulnerabilities pose a serious threat, and remediating them wastes valuable time and resources that should be focused on addressing more serious threats. Look for solutions that can prioritize which vulnerabilities to tackle in order to optimize your security and best safeguard your codebase.

Remediation: Ideally, security solutions should go further than simply detecting vulnerabilities. Advanced solutions will offer recommendations to fix them, or provide automatic remediation capabilities to repair code at the source.

Shift left/ease of use: It is easier and faster to address vulnerabilities early in the SDLC, and can increase the effectiveness of security processes. Shifting security left in this manner puts the onus on developers to implement these security processes, and many balk at using tools that slow the development process. The key is to find advanced tools that are both accurate, easy to use, and can blend seamlessly into the regular developer workflow. 

Top 4 NIST Best Practices for Software Supply Chain Risk Management

NIST issued a compilation of best practices for supply chain security. Here are some of the key best practices:

• Integrate C-SCRM across the organization. Establish a supply chain risk council with stakeholders related to vendor procurement, IT, cybersecurity, operations, and enterprise risk management. The council should proactively review supply chain risk, define mitigation plans, and ensure that strategic decisions are made transparently, sharing responsibility for possible risks.
• Manage critical components and suppliers. Identify critical suppliers that could negatively affect your company’s business if compromised. This first requires identifying the critical assets and processes in the organization and the external suppliers each one relies on. The organization can then manage supplier risk by defining security requirements, adding them to supplier contracts, and evaluating adherence to these requirements.
• Understand the full supply chain. The modern supply chain is very complex, and organizations require a major effort to understand their full supply chain, including all sub-suppliers. Risks might arise from connectivity to a supplier; hardware or software delivered by a supplier; or people and processes within the supply chain. An organization should have visibility into internal processes at suppliers to verify they are producing equipment and software that is authentic, well-tested, and secure.
• Address the full supply chain life cycle. Do not assume that components will stay in the supply chain forever. Plan for disruptions in supply, which can result from operational problems at the supplier, security issues, or suppliers stopping support of legacy products. To mitigate these risks, organizations can adopt methods such as purchasing reverse quantities, forming relationships with approved resellers, and even taking manufacturing in house to ensure uninterrupted supply.

Supply chain risk management with Mend.io

Mend.io safeguards you from software supply chain attacks with Mend Supply Chain Defender, a dedicated supply chain security solution that integrates with package managers (currently JavaScript and Ruby) to block the installation of malicious packages before they have any chance to attack your codebase.

Supply Chain Defender protects you against typosquatting attacks, malicious takeovers, ATO attacks, makefile pollution, bitcoin mining, accidental injections, botnet code injections, environment and credential stealing, viruses, package tampering, package CVEs, JavaScript CVEs, Ruby CVEs, brandjacking, and dependency confusion.

Since its public launch in early 2020, Mend Supply Chain Defender has detected more than 350 known malicious packages on the Rubygems registry, and more than 1,400 malicious packages on NPM since late 2021. 

Reinforce your software supply chain now, by using Mend Supply Chain Defender. Start for free.

Meet The Author

Adam Murray

Adam Murray is a content writer at Mend. He began his career in corporate communications and PR, in London and New York, before moving to Tel Aviv. He’s spent the last ten years working with tech companies like Amdocs, Gilat Satellite Systems, Allot Communications, and Sisense. He holds a Ph.D. in English Literature. When he’s not spending time with his wife and son, he’s preoccupied with his beloved football team, Tottenham Hotspur.