NIST has released a publication (IR 8276) listing eight key practices in cyber supply chain risk management (C-SCRM). Supply chains are often the weak link in cyber security, so every organization should be aware of and follow these practices.
As described by Navarasu Dhanasekar of Ampcus Cyber (https://www.ampcuscyber.com/blogs/8-key-practices-in-cyber-supply-chain-risk-management/) here is NIST's list:
- Integrate C-SCRM across the organization, including all stakeholders.
- Establish formal policies and procedures.
- Know and manage critical components and suppliers with the greatest impact on the organization.
- Understand the supply chain, including sub-suppliers at all levels.
- Closely collaborate with key suppliers.
- Include key suppliers in resilience and improvement activities. Plan for all disruptions not limited to cyber attacks.
- Continuously monitor the relationship.
- Plan for supply chain interruptions such as ending support of obsolete hardware and software, discontinuing production or changes in supplier ownership or management. Keep a reserve of critical components.