Date Published: October 30, 2024
Comments Due:
Email Questions to:
Author(s)
National Institute of Standards and Technology
Announcement
Supply chain risk assessments start with due diligence. Acquirers who make procurement decisions need to be informed about potential supplier risks before those decisions are executed. Consequently, many acquisition operating procedures strongly recommend or even require an assessment of a supplier’s risk prior to entering into an agreement with them.
Based on the widely adopted content in NIST Special Publication (SP) 800-161r1, this new draft Quick-Start Guide proposes an implementation-ready approach to conducting the minimum amount of investigative rigor on potential suppliers. Identifying the primary risk factors that an acquirer should consider can enable quick turnarounds with limited resources.
Due diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program capabilities with considerations for creating due diligence supply chain risk assessments in accordance with NIST Special Publication (SP) 800-161r1 (Revision 1). While due diligence supplier assessments can be applied to any type of supplier, this Quick-Start Guide is scoped to information and communications technology (ICT) suppliers. The components of a Due Diligence Assessment are Supply Chain Tiers; Foreign Ownership, Control, or Influence (FOCI); Provenance; Stability; and Foundational Cyber Practices.
Due diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program...
See full abstract
Due diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program capabilities with considerations for creating due diligence supply chain risk assessments in accordance with NIST Special Publication (SP) 800-161r1 (Revision 1). While due diligence supplier assessments can be applied to any type of supplier, this Quick-Start Guide is scoped to information and communications technology (ICT) suppliers. The components of a Due Diligence Assessment are Supply Chain Tiers; Foreign Ownership, Control, or Influence (FOCI); Provenance; Stability; and Foundational Cyber Practices.
Hide full abstract
Keywords
cybersecurity supply chain risk management; due diligence; C-SCRM; risk assessment; information and communications technology; ICT; quick-start guide
Control Families
Risk Assessment; Supply Chain Risk Management
