Three years before the inaugural National Supply Chain Integrity Month, the Computer Security Division of the National Institute of Standards and Technology (NIST) published Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations.” While its target audience was information systems practitioners, its thorough approach to addressing supply chain risk management (SCRM) offers a template for organizations’ entire SCRM programs, not just cybersecurity SCRM (C-SCRM).
The NIST team defined four pillars of C-SCRM—security, integrity, resilience, and quality—and describe the overlap of the pillars. These pillars (or categories) assist with finding, assessing, prioritizing, and mitigating risks to the supply chain from different perspectives. For added comprehensiveness, adding a fifth pillar for responsibility would consider social and environmental responsibility. This new pillar encourages organizations to assess the likelihood and effect of supply chain disruptions. These disturbances range from global human rights concerns to local labor issues and environmental sustainability as well as the long-term influences from the climate and our ecosystem. The overlap between these pillars is critical: you cannot have a comprehensive SCRM program to adequately protect your organization’s mission without accounting for all practical perspectives or categories of risk.
Previous Supply Chain Integrity Months focused on adversarial or intentional threats, often from nation-states. Last year’s events highlighted the need to find and mitigate all sources of supply chain disruptions appropriately. Supply chain integrity is critical to the national defense mission. It is well worth the energy and effort to raise awareness about it. Every supply chain disruption caused by a natural disaster, negligence, poor quality, etc., exposes a list of vulnerabilities that can be targeted and exploited by a well-resourced adversary. However, integrity alone is not enough, nor can you limit SCRM to one month a year.
Not many (if any) organizations appropriately assessed the likelihood and effects of a pandemic (or the other disruptions in the headlines), let alone proactively mitigated the associated risks to ensure against adverse effects to the mission due to supply chain failures and disruptions. Lessons learned need to be turned into action: your SCRM program needs to mature—now. LMI’s experience standing up SCRM programs highlights three critical steps for the maturation process.
- Build the appropriate governance and structure for an SCRM program with a designated executive champion. While the program should be tailored to every organization based on mission and risk appetite, SCRM needs to be an integral part of every organization’s enterprise risk program.
- Comprehensively assess the entire risk landscape to address all threats, consequences, and likelihood of attacks, disruptions, and vulnerabilities. All government organizations need to pay particular attention to supply chain integrity threats but must not overlook or underestimate the mission effect of other threat categories.
- Illuminate who is in your supply chain and how they influence you and your mission. Many organizations exclusively review their key first-tier suppliers. To mature appropriately, organizations must understand their end-to-end supply chain, especially considering the global nature of supply chains and the associated geopolitical considerations.
With these essential building blocks, your organization can make informed, proactive, risk-based decisions to ensure better preparation for the next supply chain disruption. While it is great to bring more awareness to supply chain integrity during April, improving SCRM will take a coordinated, long-term effort to move from reactive to proactive risk management.