Authoritative Sources On SCRM & C-SCRM
It is important to understand that the US National Institute of Standards and Technology (NIST) is the authoritative source on SCRM-related matters and provides authoritative guidance on the subject for the US Government:
-
Section 1323 of the Secure Technology Act tasked NIST with identifying and recommending development of "supply chain risk management standards, guidelines, and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks..."
-
Section 201.301(d) of the Federal Acquisition Supply Chain Security Act (FASCSA) requires the Federal Acquisition Security Council (FASC) to consultation with NIST and participate in FASC activities as a member to advise the FASC on NIST standards and guidelines issued under 40 U.S.C. 11331, including ensuring that any recommended orders do not conflict with such standards and guidelines.
Essentially, this establishes NIST as the de facto authoritative source for SCRM-related matters for the US Government.
Primary Sources For SCRM Practices
The following sources are foundational to the concept of SCRM. This is dominated by NIST publications.
Supply Chain Risk Management Practices for Federal Information Systems and Organizations
NIST SP 800-161 is the primary source for the US Government's guidance on the topic of SCRM.
note: an updated version is expected to be released sometime in 2021.
Integrating Cybersecurity and
Enterprise Risk Management (ERM)
NIST IR 8286 is intended to help improve cybersecurity risk management practices as part of an organization's overall Enterprise Risk Management (ERM) program.
Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-53 is the US Government's primary source of cybersecurity and privacy controls. Nearly all controls from NIST SP 800-161 are sourced from NIST SP 800-53 R4.
Key Practices in Cyber Supply Chain
Risk Management: Observations from Industry
NIST IR 8276 is a "C-SCRM best practices guide" that can be used to implement a robust C-SCRM program or function at an organization of any size, scope, or complexity, based on information gathered during the 2015 and 2019 NIST research initiatives.
Supporting Sources For SCRM Practices
The following sources generally build off of the concepts established by the NIST publications listed above.
Infographic "leader's guide" on SCRM from the Cybersecurity and Infrastructure Security Agency (CISA).