by Lon J. Berman, CISSP, RDRP
The year 2020 will be remembered for lots of things, not the least of which was the “great toilet tissue shortage.” Who can forget running from store to store, only to be confronted with empty shelves? 2020 was also the year the term “supply chain” began to appear in the mainstream press. All sorts of product shortages were blamed on “supply chain issues”. So, what exactly is a “supply chain” and what does it have to do with the Risk Management Framework (RMF)?
A supply chain is defined as the network of all the entities involved in the creation and sale of a product, starting with raw materials and ending with a finished product. Supply chain security is management of the supply chain that focuses on risk management of external suppliers, vendors, logistics, and transportation.
It’s easy to see how our IT systems can be affected by supply chain security issues. Nearly every IT system is comprised of components acquired from external suppliers. In addition, most IT systems also rely on external providers such as web-based services or cloud service providers. In essence, their security issues can easily become our security issues. It’s a lot like security control inheritance in that sense.
None of this is new to new to IT security experts. In fact, in May 2022 the National Institute of Standards and Technology (NIST) published an extensive volume of guidance on supply chain security, NIST Special Publication (SP) 800-161r1, entitled Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. This publication includes templates for key Cybersecurity Supply Chain Risk Management (C-SCRM) activities, including:
- C-SCRM Strategy and Implementation Plan
- C-SCRM Policy
- C-SCRM Plan
- C-SCRM Risk Assessment
NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, published in September 2022, contains an entire security control family dedicated to Supply Chain Management. As you probably already know, this publication is the source of the controls in the Risk Management Framework (RMF) baselines. In other words, all information system owners are now required to include supply chain security in their comprehensive security plans and procedures. The Supply Chain Risk Management (SR) control family contains 12 security controls covering key supply chain security issues, including:
- SR-1 Policy and Procedures
- SR-2 Supply Chain Risk Management Plan
- SR-3 Supply Chain Processes and Procedures
- SR-4 Provenance
- SR-5 Acquisition Strategies, Tools and Methods
- SR-6 Supplier Assessments and Reviews
- SR-7 Supply Chain Operations Security
- SR-8 Notification Agreements
- SR-9 Temper Resistance and Detection
- SR-10 Inspection of Systems or Components
- SR-11 Component Authenticity
- SR-12 Component Disposal
Wellllllllll … I admit it, I lied … a little bit! NIST SP 800-53 Rev 5 is the official policy of most federal civil agencies (e.g., Dept. of State, Treasury, Homeland Security, Health and Human Services, etc.), however it has still not been officially adopted by the Department of Defense (DoD). Official DoD policy is still based on NIST SP 800-53 Rev 4. DoD is expected to adopt Rev 5 “shortly”.
RMF & Supply Chain Security (1 Day)
The RMF and Supply Chain Security training program is tailored for government acquisition personnel, contractors, and vendors in the defense industrial base involved in procurement, IT security, compliance, and risk management. This class is for anyone responsible for the protection of sensitive information and intellectual property, including within their organization’s supply chain.