Search Icon White

Standards Support Business Resilience: NIST Releases Cyber Supply Chain Risk Management Strategies


ANSI Encourages Stakeholder Feedback on the Draft Document

In an effort to reduce cybersecurity risks within global supply chains, the National Institute of Standards and Technology (NIST) this month released a draft guidebook on cyber risk management for businesses of all types. Among its key recommendations, NIST underscores the use of industry standards to determine supplier criticality. The American National Standards Institute (ANSI) encourages stakeholder feedback on the draft, which is open for public comment until March 4, 2020.

The guidance builds on research from NIST's Cyber Supply Chain Risk Management (C-SCRM) program and information from company interviews in 2015 and 2019. NIST has also published 24 case studies that demonstrate how different companiesincluding ANSI members Mayo Clinic, Palo Alto Networks, Inc., and Seagate Technologyimplement cyber assessment strategies to protect their businesses.

Safety First: How Cyber Supply Chain Risk Management Supports Business Security

Regardless of organization typefrom aerospace to manufacturingsupply chain compromise has the potential to disrupt business and filter down to products and services. A breach in the supply chain can be costly and pose major safety issues. Although businesses may be well equipped with security tools and protection, they need to assess whether the links throughout their supply chain have the same type of protection to avoid hacks.

"Cyber Supply Chain Risk Management," is defined by NIST as the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of [Information Technology/Operational Technology] IT/OT product and service supply chains. Additionally, it covers "the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage."

NIST launched its Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) program in 2008 to develop guidelines on mitigation and implementation methodologies.

Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276), details key practices for organizations of any size, scope, and complexity, with additional resources for further research into C-SCRM best practices, including those specific to their industry.

E-mail feedback to [email protected] by March 4, 2020.


Jana Zabinski

Senior Director, Communications & Public Relations


[email protected]

Beth Goodbaum

Journalist/Communications Specialist


[email protected]