The recent SolarWinds attack alerted the world to the risk of a cyber supply chain attack—an attack through or on your company’s vendors or suppliers. It is increasingly clear that even if you take all the right steps to secure your own computer systems, your company—and your company’s data—is only as secure as the weakest link among your suppliers. This risk includes attacks that might infect your computer systems, as well as the risk that your suppliers’ businesses will be disrupted.
In a timely coincidence, the National Institute of Standards and Technology (“NIST”) recently published Key Practices in Supply Chain Risk Management: Observations from Industry, which provides suggestions to locate and address the weak links in your supply chain. The new guidelines also contribute to the growing body of authorities that companies—and courts—might look to when determining what constitute “reasonable” cyber safeguards.
I. THE GUIDANCE
NIST has long focused on supply chain risk. The organization launched its cyber supply chain risk management (“C-SCRM”) program in 2008. In 2015 and 2019, NIST conducted expert interviews, developed case studies, and analyzed existing practices in industry and government. Based on that research, in February 2021, NIST published NISTIR 8276, Key Practices in Supply Chain Risk Management: Observations from Industry.
Although the release of NIST’s guidance appears unrelated to the SolarWinds attack, the NIST guidance nevertheless provides a number of useful tips to address cyber supply chain weaknesses like those exposed in the SolarWinds breach. Specifically, NIST formulated eight “key practices” for C-SCRM:
NIST breaks down each key practice in further detail, and provides practical “recommendations that synthesize how these practices can be implemented.” Building on the key practices, NIST offers several “key recommendations,” including:
II. COMMENTARY AND CRITICISM
The new NIST guidance reflects the increased attention companies are paying to managing cyber supply chain risks. It is a useful resource for enterprises of all sizes, though some of the recommendations may be too burdensome or complex for smaller organizations to reasonably adopt. Small businesses may lack sufficient purchasing power to require their suppliers to complete certifications or participate in contingency planning, as NIST suggests, and may not have the resources to create internal councils and intricate review procedures.
Even for large businesses, the cost of bringing an enterprise into conformity with NIST’s recommendations will likely be significant. To defray costs, NIST suggests using “[s]hared supplier questionnaires across like organizations, such as within the same critical infrastructure sector.” While potentially useful—especially for small organizations—some commentators have pointed out the risk of turning C-SCRM into a box-checking activity. With an ever-increasing number of forms, C-SCRM professionals may spend more energy ensuring a technical “yes” or “no” answer than considering the actual risks in cyber supply chains.
III. DEVELOPING A STANDARD OF "REASONABLE"
One of the defining challenges in this era of ever-increasing cyber risk is what constitutes a “reasonable” cybersecurity protocol. In many states, if a company had reasonable cyber safeguards, it can avoid liability despite a breach. Similar language is frequently used in contracts between private parties. Yet, for the most part, it is unclear what precisely constitutes “reasonable”—particularly in the context of litigation. It is not uncommon to refer to existing cybersecurity frameworks—such as those issued by NIST—when making such a determination. In Ohio, for example, businesses that “reasonably conform” to one of several cybersecurity frameworks, including several of NIST’s, qualify for safe harbor under the state’s recently-enacted data security law.
Other states’ attorneys general and judges overseeing civil litigation may look to the NIST supply chain framework for guidance on what constitutes “reasonable” cyber supply chain risk management. In this respect, producing a record of C-SCRM prioritization—such as supplier questionnaires, inter-department councils, and formal policies and procedures—may provide the double benefit of mitigating supply chain risk and documenting your company’s “reasonable” preparedness.