Cyber Supply Chain Risk Management (C-SCRM)
Cyber supply chain risk management (C-SCRM) is the process of identifying, assessing, and mitigating risks associated with the distributed and interconnected nature of information technology (IT) and operational technology (OT) product and service supply chains.
Key aspects of C-SCRM include:
- Identifying cyber risks that exist within a supply chain and managing those risks
- Assessing the cyber threat landscape and determining which suppliers are most critical
- Implementing measures to mitigate identified risks, such as deploying security controls, encryption, and access restrictions
- Gaining visibility into risks posed by third, fourth and Nth parties in the extended supply chain
- Ensuring suppliers have the necessary security controls to protect sensitive data and prevent disruptions
- Conducting pre-contract due diligence on potential suppliers' cybersecurity practices during the sourcing process
C-SCRM requires a coordinated, organization-wide effort involving functions like sourcing, vendor management, supply chain continuity, quality, and transportation security. It is not solely an IT problem, but also involves people, processes and knowledge.
Some key cyber supply chain risks include compromised software or hardware from suppliers, software vulnerabilities in supply chain management systems, counterfeit hardware with embedded malware, and poor security practices by lower-tier suppliers.