NIST SP 800-161 revision 1 outlines a cybersecurity framework for mitigating security risks in the supply chain. NIST SP-800-161 is a subset of NIST 800-53, a broader cyber risk mitigation framework that’s foundational to most cybersecurity programs.
The National Institute of Standards and Technology (NIST) designed NIST 800-161 to improve cyber supply chain risk management for all U.S federal agencies. The SolarWinds supply chain attack demonstrated the limitations of supply chain security in the federal government and the criticality of a robust supply chain risk management program for preventing future similar cyberattacks.
The following checklist can be used as a template to help government agencies track compliance with the security policies and security requirements of NIST 800-161.
If you're also implementing security controls from NIST 800-53, refer to this checklist too.
1. Evaluate Your Supply Chain Risks and Define a Context for Implementing a Cybersecurity Supply Chain Risk Management Program
🔲 Designate a Chief Supply Chain Officer (CSCO) or a Chief Operations Officer (COO) to implement and manage the SCRM program.
🔲 List all relevant regulatory compliance obligations, executive orders, and recommended security safeguards influencing your cybersecurity program.
🔲 List all procurement obligations and security controls stipulated in contracts (applicable to third-party service providers).
🔲 Appoint a Senior Information Security Officer to implement and coordinate an organization-wide information security program.
🔲 Design a cybersecurity program that includes a risk management process for sensitive information accessible through the supply chain attack surface.
🔲 Identify any security risks and exposures in cloud service solutions.
🔲 Perform risk assessments for solutions most vulnerable to security risks, such as open source software.
🔲 Align your cybersecurity and Supply Chain Risk Management strategy against the broader risk appetite of the organization.
2. Identify All Applicable SCRM Controls
🔲 Identify all ICT supply chain risks with risk assessments.
🔲 Define an ICT SCRM policy.
🔲 Perform internal and external supply chain risk assessments to discover potential malware attack vectors and malicious code injection points.
🔲 Identify compliance gaps from security assessment results.
🔲 Implement a Zero Trust Architecture to protect and obfuscate sensitive data access.
🔲 Integrate additional control systems from other security frameworks to bolster data security, such as ISO/IEC 27001.
🔲 Implement access controls, such as Multi-Factor Authentication, for vetting end-user connections.
🔲 Evaluate previous security incidents that either had the potential of developing or did develop into data breaches, and identify incident handling improvements.
🔲 Enforce secure coding practices in the software development lifecycle to minimize the potential of software vulnerabilities leading to supply chain attacks.
3. Clearly Define an SCRM Maturity Pathway
🔲 Ensure organization-wide understanding of the proposed supply chain risk management program.
🔲 Adapt SCRM program management efforts to accommodate the unique requirements of each department.
🔲 Define a baseline for compliance with NIST special publication 800-161.
🔲 Implement an information-sharing pathway to encourage a collaborative effort for the enhancement of SCRM initiatives.
🔲 Ensure organization-wide understanding of the importance of computer security to mitigate supply chain attack attempts.
🔲 Define tiering criteria to encourage the continuous monitoring of vendors with the highest likelihood of becoming attack vectors.
🔲 Establish a scale for rating data sensitivity.
🔲 Implement a security rating tool for rapidly identifying supply chain security risks.
4. Publish Cybersecurity & Privacy Program Documentation
🔲 Document SCRM program and policies and distribute company-wide.
🔲 Map SCRM policies to the organization’s Enterprise Risk Management framework.
🔲 Map SCRM policies to business processes to establish a supply chain system security culture.
🔲 Educate staff on how to follow SCRM directives to minimize disruptions from supply chain attacks.
🔲 Ensure SCRM documentation is readily available for all enquiring external parties.
🔲 Define configuration management policies to reduce the potential of data leaks.
5. Designate Control Owners and Operators
🔲 Assign stakeholders and security teams to take responsibility for each privacy control.
🔲 Assign a ‘control operator’ responsible for executing each data protection controls
🔲 Develop Standardized Operating Procedures (SOP) for all control families.
🔲 Establish an Incident Response Plan and contingency plan for addressing supply chain risks.
🔲 Define strict access validation policies for critical gov resources.
6. Maintain Supply Chain Threat Readiness
🔲 Implement a real-time attack surface monitoring solution to discover emerging supply chain security risks.
🔲 Streamline vendor risk management program with features supporting scalability, such as the automation of vendor assessments.
🔲 Map your digital footprint to identify all data inventory resources across your information and communications technology ecosystem.
🔲 Map all potential sensitive data access pathways, including those originating from private sector businesses.
🔲 Establish a remediation strategy that prioritizes the most critical risks to your security posture.
🔲 Establish an inventory of all service provider contracts mapping to sensitive resources.
🔲 Designate key stakeholders that will assess compliance efforts in quarterly reviews.
🔲 Designate key stakeholders for handling SCRM-related issues.
Additional Helpful Eesources
- Best Practices for Cybersecurity Compliance Monitoring.
- Supply Chain Risk Management Practices for Federal Information Systems and Organizations (NIST).
- Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST).
- NIST Risk Management Framework (NIST).
- NISTIR 7622 - Notional Supply Chain Risk Management Practices for Federal Information Systems (NIST).
- FIPS 140-3 (UpGuard).