Federal government contractors that handle Controlled Unclassified Information (CUI) must implement the National Institutes of Standards and Technology (NIST) cybersecurity standard 800-171. In May 2024, NIST released revision 3 of that standard, which includes a new “family” of safeguards for CUI called “Supply Chain Risk Management”. One of the safeguards requires contractors to develop, maintain, and protect a Supply Chain Risk Management Plan. In this post we’ll explore the NIST Supply Chain Risk Management (SCRM) requirements and provide an overview of how small businesses can perform SCRM. You can download our Supply Chain Risk Management Plan template at the end of this post.
What are the NIST controls for Supply Chain Risk Management?
Revision 3 of the 800-171 standard for the protection of CUI has three controls – or safeguards – related to SCRM:
a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services.
b. Review and update the supply chain risk management plan [periodically].
c. Protect the supply chain risk management plan from unauthorized disclosure.
Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks.
a. Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.
b. Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: [some requirements identified by your company or your customer].
The implementation of all these controls can be described in a single Supply Chain Risk Management Plan, so rather than break down each of these controls individually, let’s first get an overall understanding of what is involved in SCRM in the next section, and then later on in the post we’ll explore how to manage the development of the SCRM Plan itself.
What is SCRM?
NIST defines “supply chain” as:
"Linked set of resources and processes between and among multiple tiers of organizations, each of which is an acquirer, that begins with the sourcing of products and services and extends through their life cycle."
NIST glossary Tweet
And the Committee on National Security Systems (CNSS) defines “supply chain risk” as:
“The risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of an item of supply or a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of a system.”
CNSSD 505 Tweet
To then perform supply chain risk management — or risk “mitigation” — we must reduce the likelihood, impact, or both, of adversarial subversion of our network of suppliers and vendors that provide the raw materials or assembled goods and service we then incorporate into the goods and services we provide to our customer. Since the Federal government is the customer for us government contractors, and the Federal government procures some pretty critical goods and services (especially the DoD!), you can understand why the Federal government – through NIST – is asking us to manage risk in our supply chains.
There is a long list of salient examples of supply chain or third-party compromise that seriously affected downstream customers, e.g., the 2013 Target hack and the 2022-2023 Atlassian vulnerability. Many such compromises significantly degraded the Federal government’s mission, for example the 2014-2015 OPM data breach, and the SolarWinds malware fiasco in 2020. With the inclusion of SCRM requirements in NIST 800-171 rev 3, the Federal government is getting serious about “flowing down” requirements to it’s contractors to secure their supply chain and help prevent CUI breaches that may result from supply chain risk.
Supply chain risks come in a variety of forms, for example:
- Product/quality risk: unreported recalls, counterfeit parts, non-military specification parts, reliability, and manufacturability.
- Financial risk: financially distressed suppliers, insolvency, currency exchange volatility, and litigations/lawsuits.
- Political and regulatory risk: political unrest, terrorism, new laws and regulations, industrial disputes, and business ethics issues.
- Foreign influence risks: foreign intelligence services; foreign investment and management with the potential to influence design, capabilities, or introduction of other risks.
- Operational risk: transportation disruption, ports customs capacity issues, limited supply base, unresponsive supply chain, and disruption due to internal operations.
- Environmental risk: energy scarcity, earthquakes, fire, adverse weather, and other natural disasters.
- Technology risk: data breach, cyber breach, intellectual property loss, malicious technology insertion, risks to critical program information, and critical functions and components.
- Human capital risk: health and safety issues, workforce shortages, pandemic, and loss of talent and skills.
Our job in SCRM is to:
- perform a risk analysis of our supply chain members,
- require those members to do their own supply chain risk assessment and communicate the results to us,
- identify and implement risk mitigators for our supply chain members, and,
- require those members to implement their own risk mitigators and report those to us.
There are a variety of Supply Chain Risk mitigators including:
- establishing key risk mitigator performance indicators (KPI)
- diversifying the supplier base
- conducting supplier performance reviews
- conducting supplier quality audits
- contingency planning
- continuous monitoring
- collaborating with legal experts
- identifying alternative logistic paths
- requiring suppliers to adopt cybersecurity measures (this is part of NIST 800-171 rev 3 control 03.17.03, listed above)
- executing regular technology updates
- implementing training programs
- planning for workforce disruption
- establishing clear communication channels
Looking at the list of potential risks and mitigators above and understanding the scope of even a a small business’ supply chain, SCRM can be a daunting task. SCRM is often a significant burden for an organization. Even for a small business, managing supply chain risk can be a full time job for a staff member. Unfortunately for small businesses Federal government contractors, implementing a SCRM Plan will mean additional tasking for current staff, and may even necessitate hiring new staff. Thus, performing Supply Chain Risk Management becomes a business risk in itself! Nevertheless, we Federal government contractors that handle CUI are required to perform SCRM. And those of us in the DoD will be held accountable for SCRM by the Cybersecurity Maturity Model Certification (CMMC).
When faced with a daunting task, we need a plan. And the good news is that there are plenty of resources for developing a Supply Chain Risk Management Plan.
What is a Supply Chain Risk Management Plan?
A Supply Chain Risk Management Plan defines the organization’s structured SCRM strategy, where the supply chain includes linked activities starting with the sourcing of raw materials and continues all the way to integration into a final product. The SCRM Plan identifies a coordinated holistic approach, involving all supply chain stakeholders, and seeks to identify, analyze, manage, and monitor the risk of associated unintended, adverse events and failure points within the supply chain addressing both process and product.
Attributes of a quality SCRM Plan include:
- Establishment of the organizational SCRM strategy
- Identification of individuals/roles in the organization with SCRM responsibilities
- SCRM policies, processes, and procedures
- Supply Chain Risk identification processes and procedures
- Supply Chain Risk analysis and assessment methodologies
- Supply Chain Risk mitigation planning guidelines
- Supply Chain risk tracking methods and processes
No two organizations have the same supply chains and supply chain risk, and so each organization will have a unique SCRM Plan. However, individual organizations can follow a common “play book” or template when developing a SCRM Plan. A great way to get used to SCRM Planning, especially for organizations that have never performed SCRM in the past, may be by incorporating suggested activities based on a template. You’ll find our Supply Chain Risk Management Plan template for download below, so we’ll take a moment in this post to explain our approach.
Many DoD prime contractors must deliver some of their business operations plans to their DoD customer(s) as part of Contract Data Requirements List (CDRL) submissions. Often a SCRM Plan is a required CDRL submittal. For many CDRLs, there is an associated Data Item Description (DID), which describes the expected format and content. There happens to be a government DID for an SCRM Plan, DI-MGMT-82256. So, to kill two birds with one stone, we based our NIST 800-171-focused SCRM Plan template on DI-MGMT-82256 DID. It’s quite extensive (32 pages!) and each section in the plan template is mapped to the DID.
Those of you who have CDRL submittals will find our template comprehensive as it meets all the DID formatting and content requirements, and includes sections covering all the SCRM Plan attributes listed just above. Those of you who don’t have CDRL submittals, but need to abide the NIST 800-171 rev 3, will find implementing a SCRM Plan based on our template satisfies all the rev 3 controls listed in the first section of this post.
Note that if your organization uses our template for your SCRM Plan, you’ll need to establish a policy that defines frequency for review and update. You’ll also need to implement safeguards to protect your SCRM Plan from unauthorized access, modification, and disclosure. Understandably, the SCRM Plan is a sensitive document as it contains intimate details on organizational risk and must be adequately protected.
Wrapping up
NIST’s rev 3 of the 800-171 standard includes Supply Chain Risk Management requirements. SCRM can be a daunting task for businesses of any size, but especially for small businesses. We’ve outlined what it takes to perform SCRM, and provided a downloadable Supply Chain Risk Management Plan template, aligned with the format required for submittal to the government.
If you’d like to understand more about SCRM and SCRM Planning, join us in our monthly Town Halls. If you are a DoD contractor preparing for a CMMC certification, you’ll get a lot our of our quarterly CMMC Readiness Workshops.
Good Hunting!
Adam