NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

News & Events

Best Practices in Cyber Supply Chain Risk Management
October 1-2, 2015
NIST Gaithersburg, MD.

{April 2015} -- NIST is pleased to announce the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

{Dec. 2012} -- NIST is pleased to announce a report by the University of Maryland’s Supply Chain Management Center: Proof of Concept for an Enterprise ICT SCRM Assessment Package

more news

Contact

General Inquires
scrm-nist@nist.gov

Jon Boyens
Project Lead
boyens@nist.gov
301-975-5549

Celia Paulsen
Technical Lead
celia.paulsen@nist.gov
301-975-5981

SUPPLY CHAIN RISK MANAGEMENT (SCRM) FOR INFORMATION AND COMMUNICATIONS TECHNOLOGY

Overview

Information and Communications Technology (ICT) relies on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions. This ecosystem is composed of various entities with multiple tiers of outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices, all of which interact to design, manufacture, distribute, deploy, use, maintain, and manage ICT products and services.

The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits, also increase the risk of a compromise to the ICT supply chain, which may result in risks to the end user. These ICT supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the ICT supply chain.

ICT Supply Chain Risk Management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of ICT product and service supply chains. It covers the entire life cycle of a system (including design, development, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an ICT product or service at any stage.

NIST/ITL Approach

The NIST ICT SCRM program started in 2008, when it initiated the development of ICT SCRM practices for non-national security information systems, in response to Comprehensive National Cybersecurity Initiative (CNCI) #11, “Develop a multi-pronged approach for global supply chain risk management.”

Since then, NIST has worked with diverse stakeholders from across government, industry, and academia to identify and evaluate effective technologies, tools, techniques, practices, and standards useful in securing the ICT supply chain. NIST has and continues to research the state of ICT SCRM in both the public and private sectors, related standards and initiatives, effective practices, and metrics. In addition, NIST has given several grants to conduct research in this area as well as to develop a web-based risk assessment and collaboration tool.

NIST ICT SCRM Fact Sheet