Date: 7 May 2024
The National Institute of Standards and Technology (NIST) recently released an update to its landmark Cybersecurity Framework (CSF). The NIST CSF 2.0 now provides a robust guideline for organisations looking to bolster their supply chain security.
In this article, we explore why Supply Chain Security must be every business’s top priority today. What makes Supply Chain security so critical to business continuity? What do the new standards and regulations including the EU DORA and NIST CSF 2.0 say about Supply Chain Security? And how to enhance and improve your Supply Chain Security in sync with the NIST CSF 2.0.
Remember, our NCSC Assured Training in Cyber Incident Planning and Response covers this topic in detail. It shows you how to assess the weakest links in your supply chain and how to work towards fixing them. Most importantly, however, it shows you how to prepare a plan for recovery if you do succumb to a supply chain attack.
Topics covered in the blog:
- Importance of Supply Chain Security
- What are the NIST CSF 2.0 guidelines on Third-Party Security
- How to enhance Supply Chain Security using NIST CSF 2.0
Importance of Supply Chain Security
The emphasis on supply chain security is critical at a time when businesses are becoming more globally-interconnected than ever before. And this global dispersion of supply chains is making them increasingly vulnerable to cyber threats, if the recent rise in crippling supply chain attacks is anything to go by.
As per IBM’s 2023 X-Force Threat Intelligence Index, over 50% security breaches can now be traced back to the supply chain and third-party vendors. The study also claims that the average cost of a supply chain attack on a business is $4 million.
The new EU DORA regulation also lays significant emphasis on supply chain security. It enforces the need to evaluate vendor contracts and how data is shared in the supply chain with a fine comb.
It’s no wonder that all important cybersecurity standards and regulations are laying this vigorous focus on the supply chain. You just have to think about some of the biggest attacks in the recent past and it becomes clear why. SolarWinds, Fortra’s file transfer software GoAnywhere, Okta, MOVEit - all major names in their industry were compromised and the snowballing effects were felt by hundreds of oragnisations across the globe (over 18,000 in the case of SolarWinds).
These attacks and their massive impact make it clear that Supply Chain security isn’t something one can be complacent or remotely lax about. You can never assume that just because you have strong internal security defences, you won’t be breached. You can also never assume that because you’ve partnered with well-reputed companies, you won’t fall prey to a third-party compromise.
Constant monitoring and evaluation of your third-party security and supply chain contracts is the need of the hour. Combine this with dedicated effort towards enhancing your overall cyber resilience with a good cybersecurity incident response plan and you can feel a little more assured.
Let’s now move on to what the update to the NIST Cybersecurity Framework says about Supply Chain security and how you can leverage this guidance to bolster your cyber resilience.
NIST CSF 2.0 Guidance on Supply Chain Risk Management
The NIST Cybersecurity Framework 2.0 has encompassed Supply Chain security as a vital aspect of business continuity.
The update that this landmark document has received has seen two major changes. The core guidance now encompasses ‘Govern’ as a new function in the Cyber Incident Response Framework. The Govern function emphasises on enterprise risk management and supply chain security is a core component of this.
NIST CSF 2.0 encourages organisations to integrate supply chain risk management into their cybersecurity risk management efforts.
Section 5 of the Cybersecurity Framework 2.0 discusses the integration of the CSF with other Risk Management Programmes in detail. It is in this section (5.2) that the topic of Supply Chain Risk Management (SCRM) is covered.
Here’s a gist of what the NIST guidance includes:
- It encourages organisations to improve communications with all stakeholders including the supply chain and third-party vendors.
- It advises developing appropriate plans, policies and procedures to manage exposure to cybersecurity risks arising from the supply chain.
- It is recommended that all businesses comprehend and implement the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
How to Enhance your Supply Chain Security using NIST CSF 2.0
The newly added function of ‘Govern’ under the CSF core contains the category of Cybersecurity Supply Chain Risk Management with GV.SC as its category identifier. Appendix A of the NIST CSF 2.0 describes each function and its categories in detail.
The recommendations made in Appendix A included under the category of GV.SC are quite comprehensive. By understanding and implementing them in your Cybersecurity Policy and Enterprise Risk Management programme, you can make significant leaps in your third-party security.
Take a look at what NIST CSF 2.0 says in this regard: To enhance your supply chain security, the framework advises the following steps:
- Establishing processes for supply chain risk management which are agreed to by organisational stakeholders.
- Establishing clear roles and channels of communication for managing suppliers, partners, vendors etc.
- Integrating supply chain risk management in the overall enterprise risk management strategy and improvement processes.
- Identifying and prioritising suppliers by criticality.
- Addressing cybersecurity risks in all contracts and vendor agreements.
- Carrying out due diligence before entering into partnership with any third-party to keep risk minimal.
- Constant recording and monitoring of risks posed by third parties.
- Inclusion of third-parties in Cyber Incident Planning and Response and recovery activities (P.S. We often include third-party suppliers in our Cyber Crisis Tabletop Exercises).
- Continuous monitoring of supply chain security practices.
- Making provisions for managing risks after the relationship with a third party or vendor has concluded.
Just by putting into action the above guidelines by NIST CSF 2.0, you can bring about a dramatic reduction in your third-party cybersecurity risk.
Essentially, NIST CSF 2.0 encourages organisations to adopt a proactive approach to vendor management. With simple measures such as due diligence processes, regular audits, and the integration of cybersecurity requirements into contracts and service level agreements, you can feel confident that you’ve made significant strides in securing your supply chain.
Setting clear expectations and continuously monitoring compliance is vital. The framework also advocates for the use of advanced technologies such as blockchain and AI to enhance transparency and real-time monitoring of supply chain activities. Overall, leveraging the strategic guidance offered by NIST CSF 2.0 enables you to create a resilient supply chain that not only withstands cyber threats but also supports sustainable business growth.
