Every business depends on suppliers such as vendors, service providers, contractors, and systems integrators to provide critical input. But suppliers can also introduce business risk. Supply chain risk management (SCRM) is the business discipline that aims to understand and mitigate supplier risk.
According to the National Institute of Standards and Technology (NIST), examples of supply chain risk include:
Supply chain attacks can lead to:
Suppliers are outside entities that offer varying levels of transparency into their business policies and practices. Without visibility and industry standards, it's difficult to assess the level of risk that suppliers may introduce into your organization.
Cyber SCRM (C-SCRM) addresses potential risks to the IT, OT, and communications technologies that are essential to your organization's mission. It even includes cybersecurity vendors and the products, software, and services that defend your organization against cyber attacks.
While there are many sources of best practices, the NIST makes many publications freely available.
The U.S. Department of Defense (DoD) relies on hundreds of contractors and research institutions, which could introduce supply chain risk. Of particular concern is the security of sensitive information the department holds. Its new Cybersecurity Maturity Model Certification (CMMC) is an innovative program that aims to ensure its suppliers properly protect DoD data from cyber attacks.
Security addresses the confidentiality, integrity, and availability of the supply chain, its participants, and the data that travels across it.
Integrity aims to ensure that products are genuine, unaltered, and will perform as intended without unwanted functionality.
Resilience is focused on ensuring that supply chains function properly under pressure, stress, and even failure.
Quality is aimed at reducing vulnerabilities that can be exploited, cause failures, or limit the intended function of products and services.