RMF and Supply Chain Security

Today, our organizations rely on digital technology more than ever to accomplish critical mission/business functions.  Information and communications technology (ICT), Operational Technology (OT), and IT Services that organizations acquire are part of complex, globally distributed, extensive, and interconnected supply chain ecosystems that are comprised of geographically diverse routes and consists of multiple levels of outsourcing.  These facts present risks that are called “supply chain injection” attacks that have seen a significant increase since 2018.

To mitigate and manage these risks your organization needs a NIST compliant Cybersecurity Supply Chain Risk Management (C-SCRM) that differs from the traditional supply chain risk management programs that mainly deal with materiel and non-IT assets.  This course will assist your organization in developing a tailored C-SCRM program that is cost effective and address C-SCRM requirements (implementation statements and assessment procedures) brought in NIST SP 800-53 Rev 5.

Subject Areas Covered:

• Establish C-SCRM team, determine roles and responsibilities.
• Basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly.
• Address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems.
• Addresses managing, implementation, and monitoring of C-SCRM controls
• Determine C-SCRM risk tolerance
• Identifying and assessing C-SCRM risks
• Determining appropriate risk response actions and acceptable C-SCRM risk mitigation strategies or controls.
• Description of and justification for C-SCRM mitigation measures taken
• Monitoring performance against plans
• Specify documentation protection requirements.
• Providing training, education, and awareness programs for personnel regarding C-SCRM, available mitigation strategies
• Train personnel to detect counterfeit system components