Authoritative Sources On SCRM & C-SCRM

It is important to understand that the US National Institute of Standards and Technology (NIST) is the authoritative source on SCRM-related matters and provides authoritative guidance on the subject for the US Government:

  • Section 1323 of the Secure Technology Act tasked NIST with identifying and recommending development of "supply chain risk management standards, guidelines, and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks..."

  • Section 201.301(d) of the Federal Acquisition Supply Chain Security Act (FASCSA) requires the Federal Acquisition Security Council (FASC) to consultation with NIST and participate in FASC activities as a member to advise the FASC on NIST standards and guidelines issued under 40 U.S.C. 11331, including ensuring that any recommended orders do not conflict with such standards and guidelines.

Essentially, this establishes NIST as the de facto authoritative source for SCRM-related matters for the US Government.

Primary Sources For SCRM Practices

The following sources are foundational to the concept of SCRM. This is dominated by NIST publications.

NIST SP 800-161

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Link - NIST 800-161.png

NIST SP 800-161 is the primary source for the US Government's guidance on the topic of SCRM.

 

note: an updated version is expected to be released sometime in 2021. 

NIST IR 8286

Integrating Cybersecurity and
Enterprise Risk Management (ERM)

Link - NIST IR 8286.png

NIST IR 8286 is intended to help improve cybersecurity risk management practices as part of an organization's overall Enterprise Risk Management (ERM) program.

NIST SP 800-53 R5

Security and Privacy Controls for Information Systems and Organizations

Link - NIST 800-53.png

NIST SP 800-53 is the US Government's primary source of cybersecurity and privacy controls. Nearly all controls from NIST SP 800-161 are sourced from NIST SP 800-53 R4.

NIST IR 8276

Key Practices in Cyber Supply Chain
Risk Management: Observations from Industry

Link - NIST IR 8276.png

NIST IR 8276 is a "C-SCRM best practices guide" that can be used to implement a robust C-SCRM program or function at an organization of any size, scope, or complexity, based on information gathered during the 2015 and 2019 NIST research initiatives.

Supporting Sources For SCRM Practices

The following sources generally build off of the concepts established by the NIST publications listed above.

SCRM Essentials: Information & Communications Technology SCRM IN A Connected World

Link - CISA SCRM Essentials.png

Infographic "leader's guide" on SCRM from the Cybersecurity and Infrastructure Security Agency (CISA).

USCC - 2020 Annual Report To Congress

Link - 2020 Report to Congress.png

2020 Annual Report To Congress from the US-China Economic and Security Review Commission.

Supply Chain Risk Management: Reducing Threats to Key US Supply Chains

Link - SCRM NCSC.png

Short publication from the National Counterintelligence and Security Center (NCSC) on key threats to the US supply chain.

Planning for the Inevitable: The Role of the Federal Supply Chain in Preparing for National Emergencies

Link - IBM SCRM.png

SCRM-related planning from the IBM Center for The Business of Government

Supply Chain Vulnerabilities from China in US Federal Information and Communications Technology

Link - US CESRC Report.png

2018 report from the US-China Economic and Security Review Commission.

© Verutus, LLC (Verutus). All Rights Reserved.

MetaSCRM - Supply Chain Risk Management

MetaSCRM.com is meant to be an educational website, where it does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Verutus, LLC (Verutus) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. Verutus does not warrant or guarantee that the information will be without error or not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

Verutus reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

Square Logo.jpg