The National Institute of Standards and Technology requests comments on its draft of a quick-start guide on cybersecurity supply chain risk management, or C-SCRM, assessments. The C-SCRM guide was drafted to help organizations undertake the due diligence that would inform them about potential supplier risks before they make procurement decisions, the agency said Wednesday.
The guide’s draft was based on the NIST Special Publication 800-161r1 on C-SCRM practices for supply chain risk identification, assessment and response at all levels.
What’s in the NIST C-SCRM Guide?
The guide presents an implementation-ready, minimally investigative approach to identify the primary risk factors and facilitate rapid turnarounds with limited resources employed. The due diligence research areas that the guide recommends include pre-checks on supply chain tiers, supplier origins, foreign influence, control or ownership and cyber practices.
The NIST guide also suggests the development of a due diligence report template for compiling and verifying research findings and data sources. The deadline for submission of comments on the guide is on Dec.16.
In another move, the General Services Administration issued in February a guide on government contract vehicles that agencies can use to procure C-SCRM tools and advisory services.