The recent SolarWinds attack alerted the world to the risk of a cyber supply chain attack—an attack through or on your company’s vendors or suppliers. It is increasingly clear that even if you take all the right steps to secure your own computer systems, your company—and your company’s data—is only as secure as the weakest link among your suppliers. This risk includes attacks that might infect your computer systems, as well as the risk that your suppliers’ businesses will be disrupted.
In a timely coincidence, the National Institute of Standards and Technology (“NIST”) recently published Key Practices in Supply Chain Risk Management: Observations from Industry, which provides suggestions to locate and address the weak links in your supply chain. The new guidelines also contribute to the growing body of authorities that companies—and courts—might look to when determining what constitute “reasonable” cyber safeguards.
I. THE GUIDANCE
NIST has long focused on supply chain risk. The organization launched its cyber supply chain risk management (“C-SCRM”) program in 2008. In 2015 and 2019, NIST conducted expert interviews, developed case studies, and analyzed existing practices in industry and government. Based on that research, in February 2021, NIST published NISTIR 8276, Key Practices in Supply Chain Risk Management: Observations from Industry.
Although the release of NIST’s guidance appears unrelated to the SolarWinds attack, the NIST guidance nevertheless provides a number of useful tips to address cyber supply chain weaknesses like those exposed in the SolarWinds breach. Specifically, NIST formulated eight “key practices” for C-SCRM:
- Integrate C-SCRM Across the Organization: NIST suggests establishing supply chain risk councils with stakeholders from supply chain/procurement, information technology, cybersecurity, operations, legal, enterprise risk management, and other areas. The councils should proactively review relevant risks and mitigation plans. Explicit positions to bridge departments can also be useful, as well as formalized collaboration at multiple levels of seniority.
- Establish a Formal C-SCRM Program: Establishing a formal program ensures accountability. As part of the program, companies should develop clear governance and standardized policies, including clear definitions of roles.
- Know and Manage Critical Suppliers: Critical suppliers are (1) “those suppliers which, if disrupted, would create a negative business impact on the organization” and (2) “those suppliers that provide critical components to a business.” After an assessment, “risks can be assessed, and suppliers can be prioritized.”
- Understand the Organization’s Supply Chain: Understanding your supply chain requires an understanding of your suppliers and their suppliers (i.e., sub-suppliers). In NIST parlance, companies should “establish real-time visibility into the production processes of their outsourced manufacturers.”
- Closely Collaborate with Key Suppliers: NIST suggests maintaining close working relationships with your suppliers. Another recommendation is to require your suppliers to use the same C-SCRM standards you do, helping achieve uniform quality.
- Include Key Suppliers in Resilience and Improvement Activities: NIST recommends establishing protocols for information sharing and jointly developing incident response, business continuity, and disaster recovery plans with suppliers.
- Assess and Monitor Throughout the Supplier Relationship: An assessment performed before a supplier is retained is a snapshot in time. To maintain security, NIST recommends assessing your suppliers’ controls on a regular basis.
- Plan for the Full Life Cycle: Finally, NIST suggests planning for unexpected interruptions to your supply chain, especially of key components of the supply chain that could be particularly disruptive to your own operations.
NIST breaks down each key practice in further detail, and provides practical “recommendations that synthesize how these practices can be implemented.” Building on the key practices, NIST offers several “key recommendations,” including:
- Create explicit collaborative roles, structures, and processes for supply chain, cybersecurity, product security, physical security, and other relevant functions.
- Integrate cybersecurity considerations into the system and product life cycle.
- Determine supplier criticality by using industry standards and best practices.
- Mentor and coach suppliers to improve their cybersecurity practices.
- Include key suppliers in contingency planning (CP), incident response (IR), and disaster recovery (DR) planning and testing.
- Use third-party assessments, site visits, and formal certification to assess critical suppliers.
II. COMMENTARY AND CRITICISM
The new NIST guidance reflects the increased attention companies are paying to managing cyber supply chain risks. It is a useful resource for enterprises of all sizes, though some of the recommendations may be too burdensome or complex for smaller organizations to reasonably adopt. Small businesses may lack sufficient purchasing power to require their suppliers to complete certifications or participate in contingency planning, as NIST suggests, and may not have the resources to create internal councils and intricate review procedures.
Even for large businesses, the cost of bringing an enterprise into conformity with NIST’s recommendations will likely be significant. To defray costs, NIST suggests using “[s]hared supplier questionnaires across like organizations, such as within the same critical infrastructure sector.” While potentially useful—especially for small organizations—some commentators have pointed out the risk of turning C-SCRM into a box-checking activity. With an ever-increasing number of forms, C-SCRM professionals may spend more energy ensuring a technical “yes” or “no” answer than considering the actual risks in cyber supply chains.
III. DEVELOPING A STANDARD OF "REASONABLE"
One of the defining challenges in this era of ever-increasing cyber risk is what constitutes a “reasonable” cybersecurity protocol. In many states, if a company had reasonable cyber safeguards, it can avoid liability despite a breach. Similar language is frequently used in contracts between private parties. Yet, for the most part, it is unclear what precisely constitutes “reasonable”—particularly in the context of litigation. It is not uncommon to refer to existing cybersecurity frameworks—such as those issued by NIST—when making such a determination. In Ohio, for example, businesses that “reasonably conform” to one of several cybersecurity frameworks, including several of NIST’s, qualify for safe harbor under the state’s recently-enacted data security law.
Other states’ attorneys general and judges overseeing civil litigation may look to the NIST supply chain framework for guidance on what constitutes “reasonable” cyber supply chain risk management. In this respect, producing a record of C-SCRM prioritization—such as supplier questionnaires, inter-department councils, and formal policies and procedures—may provide the double benefit of mitigating supply chain risk and documenting your company’s “reasonable” preparedness.