2.8 SUPPLY CHAIN RISK MANAGEMENT

Organizations are becoming increasingly reliant on products, systems, and services provided by external providers to carry out missions and business functions. Organizations are responsible and accountable for the risk incurred when using such component products, systems, and services.⁴⁶ Relationships with external providers can be established in a variety of ways, for example, through joint ventures, business partnerships, various types of formal agreements (e.g., contracts, interagency agreements, lines of business arrangements, licensing agreements), or outsourcing arrangements.

The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing amount of risk to an organization. Risk may increase based on the likelihood of occurrence and adverse impact from threat events such as the insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain, including the failure to build in security or privacy capabilities that enable an organization to better manage risk in its environment.

Supply chain risks can be endemic or systemic within a system element, system, organization, sector, or nation. While the singular use of a system element or service within a system may present an acceptable risk to an organization, its common or extended use throughout a system, organization, sector or nation can raise the risk to an unacceptable level. These risks are often associated with the global and distributed nature of product and service supply chains and an organization’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed. This includes the processes, procedures, and practices used to assure the integrity, security, resilience, privacy capabilities, and quality of the acquired products, systems, and services.

To address supply chain risks, organizations develop an SCRM policy, which is an important vehicle for directing SCRM activities. Guided and informed by applicable laws, executive orders, directives, policies, and regulations, the SCRM policy supports applicable organizational policies (e.g., acquisition and procurement, information security and privacy, logistics, quality, and supply chain). The policy addresses the goals and objectives in the organization’s strategic plan, missions and business functions, and the internal and external customer requirements. It also defines the integration points for SCRM with the risk management and the SDLC processes for the organization. Finally, the SCRM policy defines the SCRM roles and responsibilities within the organization, any dependencies among those roles, and the interaction among the roles. SCRM roles specify the responsibilities for procurement, conducting risk assessments, collecting supply chain threat intelligence, identifying and implementing risk-based mitigations, and performing monitoring functions.

⁴⁶ [OMB A-130] defines supply chain risk and requires federal agencies to consider supply chain security issues for all resource planning and management activities throughout the SDLC so that risks are appropriately managed.

[FISMA] and [OMB A-130] require external providers handling federal information or operating systems on behalf of the federal government to meet the same security and privacy requirements as federal agencies. Security and privacy requirements for external providers including the controls for systems processing, storing, or transmitting federal information are expressed in contracts or other formal agreements. The RMF can be effectively used to manage supply chain risk.⁴⁷ The conceptual view of the system in Figure 5 can guide and inform security, privacy, and risk management activities for all elements of the supply chain. Every step in the RMF can be executed by nonfederal external providers except for the Authorize step—that is, the acceptance of risk is an inherent federal responsibility for which senior executives are held responsible and accountable. The authorization decision is directly linked to the management of risk related to the acquisition and use of component products, systems, and services from external providers.⁴⁸ [OMB A-130] also requires organizations to develop and implement SCRM plans. ⁴⁹

Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization—building trust relationships and communicating with both internal and external stakeholders. SCRM activities involve identifying and assessing applicable risks, determining appropriate mitigating actions, developing appropriate SCRM plans to document selected mitigating actions, and monitoring performance against SCRM plans. Because supply chains differ across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored plans provide the basis for determining whether a system is “fit for purpose” and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment.

The determination that the risk from acquiring products, systems, or services from external providers is acceptable depends on the level of assurance⁵⁰ that the organization can gain from the providers. The level of assurance is based on the degree of control the organization can exert on the external provider regarding the controls needed for the protection of the product, system, or service and the evidence brought forth by the provider as to the effectiveness of those controls.

The degree of control is established by the specific terms and conditions of the contract or service-level agreement. Some organizations have extensive control through contract vehicles or other agreements that specify the security and privacy requirements for the external provider. Other organizations, in contrast, have limited control because they are purchasing commodity services or commercial off-the-shelf products. The level of assurance can also be based on many other factors that convince the organization that the requisite controls have been implemented and that a credible determination of control effectiveness exists. For example, an authorized external cloud service provided to an organization through a well-established line-of-business relationship may provide a level of trust in the service that is within the risk tolerance of the organization. Ultimately, the responsibility for responding to risks from the use of component products, systems, and services from external providers remains with the organization and the authorizing official. Organizations require that an appropriate chain of trust be established with external providers when dealing with the issues associated with system security or privacy risks.

⁴⁷ Supply chain risk means risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation [OMB A-130]. When system elements process PII, SCRM practices address both information security and privacy risk.

⁴⁸ While authorization (i.e., the acceptance of risk) of federal information systems is an inherent federal responsibility, it is a foundational concept that can be used by senior executives in nonfederal organizations at all levels in the supply chain to manage security and privacy risk.

⁴⁹ [SP 800-161] provides guidance on SCRM plans.

⁵⁰ The level of assurance provided by an external provider can vary, ranging from those who provide high assurance (e.g., business partners in a joint venture that share a common business model and goals) to those who provide less assurance and represent greater sources of risk (e.g., business partners in one endeavor who are also competitors in another market sector).