As awareness of cybersecurity supply-chain risks grows among federal agencies, there is a greater need for solutions that can evaluate the consequences of a supply chain-related cyber event, the National Institute of Standards and Technology, said in a release. However, this can be a difficult, especially for those organizations with complex operational environments and supply chains.
A publicly available solution to support supply chain risk analysis that specifically takes into account the potential impact of an event does not currently exist. NIST seeks to remedy that with NISTIR 8272(Draft). This draft describes how to use the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool that has been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.
NISTIR 8272(Draft) describes a prototype tool that shows a possible solution for “filling the gap between an organization's risk appetite and supply chain risk posture by providing a basic measurement of the potential impact of a cyber-supply chain event,” NIST reported. This tool does not represent a complete supply-chain risk management solution. Rather, it is intended to be integrated into or used in concert with tools such as third-party management, enterprise resource planning, and supply chain management efforts.
NIST said comments that are related to additional functionality or other aspects of the tool may be used to develop future versions of the software.
Download NISTIR 8272 (Draft). Comments are due April 17, 2020; please email comments to: scrm-nist@nist.gov
Supplemental Material:
CSRC - Source Code, Sample Data, and Installer Packages (other)
GitHub - Source Code, Sample Data, and Installer Packages (pdf)