Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.
Supply chain events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on a system and its information and, therefore, can also adversely impact organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.
[NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk analyses. [NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
Organizations will have varying policies, definitions, and actions for this requirement. It is important for a single organization to be consistent and to build a process that makes sense for their organization, strategy, unique supply chain, and the technologies available to them.
You are responsible for information security in your organization, which holds and processes CUI. One of your responsibilities is to manage risk associated with your supply chain that may provide an entry point for the adversary. First, you acquire threat information by subscribing to reports that identify supply chain attacks in enough detail that you are able to identify the risk points in your organization’s supply chain [a]. You create an organization-defined prioritized list of risks the organization may encounter and determine the responses to be implemented to mitigate those risks [b,c].
In addition to incident information, the intelligence provider also makes recommendations for monitoring and auditing your supply chain. You assess, integrate, correlate, and analyze this information so you can use it to acquire monitoring tools to help identify supply chain events that could be an indicator of an incident. This monitoring tool provides visibility of the entire attack surface, including your vendors’ security posture [d]. Second, you analyze the incident information in the intelligence report to help identify defensive tools that will help respond to each of those known supply chain attack techniques as soon as possible after such an incident is detected, thus mitigating risk associated with known techniques.
Potential Assessment Considerations
- Has the organization prioritized risks to the supply chain [a,b]?
- Does the organization have viable service-level agreements that describe and enable responses to supply chain incidents [c,d]?