The National Institute of Standards and Technology has issued a guidance for organizations seeking to “improve their supply chain risk management or third-party risk programs.”
The draft publication, titled “Impact Analysis Tool for Interdependent Cyber Supply Chain Risks”, is aimed at helping federal agencies improve their identification and assessment of the potential cybersecurity risks in their interconnected supply-chain networks.
NIST said the C-SCRM Interdependency Tool serves as a prototype concept for measuring the impact of a supply chain-related cyber event. The tool also establishes metrics and identifies “nodes” to improve visibility across the supply chain network and specific suppliers, products and projects.
The guidance’s publication comes after NIST researchers found that impact was “frequently overlooked” in cybersecurity risk studies. According to NIST, the need for evaluating supply-chain cyber events becomes greater as federal agencies become more aware of cybersecurity risks at the supplier level.
“This can be a difficult activity, especially for those organizations with complex operational environments and supply chains,” NIST said in the guidance. “A publicly available solution to support supply chain risk analysis that specifically takes into account the potential impact of an event does not currently exist.”