On April 29, 2021 the National Institute of Standards and Technology (NIST) unveiled an initial public draft of its first major revision to Special Publication 800-161, Cyber Supply Chain Risk Management Practices for Systems and Organizations. The publication represents NIST’s flagship framework to evaluate supply chain security for federal agencies and has not been revised since its original publication in April 2015. While federal agencies were the intended audience for the original publication, NIST has stated that the revised framework is designed to be adapted by a wide variety of organizations in assessing supply chain risk management (SCRM) processes and controls.
Federal contractors, in particular, are expected to reap benefits from the rollout of the revised publication. These organizations have been challenged in recent years to adapt their legal and compliance strategies to growing regulatory measures seeking to alleviate concerns over data security and vulnerabilities in the information and communications technology (ICT) supply chain. The call to resolve these issues has been accelerated by supply chain infiltrations like the SolarWinds event, cyber espionage by foreign governments and other unexpected events that have created supply chain bottlenecks and significant business continuity issues (e.g. the COVID-19 pandemic, the Suez Canal incident and the colonial pipeline cyberattack). Companies that work closely with the government are expected to be more vigilant than ever in protecting and ensuring the security of their supply chain.
Understanding the criticality of this issue, federal contractors would be wise to consider the updates found in this latest draft revision and provide comment to NIST by the due date (June 14, 2021) in order to help shape the final publication. NIST anticipates releasing a second draft in September 2021 and a final version by April 2022.
Specifically, the revision incorporates a number of important changes intended to reshape how federal agencies think about and monitor risks to increasingly complex and globally distributed supply chains. A summary of several important changes include:
Baker Tilly is here to assist with solidifying your C-SCRM practices, performing a gap assessment or other evaluation procedures to assess your risk. We also can help you understand the aspects of this new guidance that are applicable to your organization, while helping you best allocate time and resources to understand what is “fit for purpose” for your C-SCRM program.
Additionally, your organization may require a C-SCRM plan, either now or in the future. These plans explore the processes you currently have in place to manage your third party risk and oftentimes require an in-depth understanding of governmental standards. We regularly assist organizations with preparing SCRM plans in order to avoid complications that may arise with federal review and evaluation of these plans.
As the pandemic and recent supply chain “shocks” make clear, risk management procedures and business continuity plans can be tested at any time. Federal contractors should look to develop an effective C-SCRM program that puts the systems, policies and processes in place that will allow them to effectively mitigate and manage ongoing supplier risks. Baker Tilly stands ready to support your organization.
For more information on this, or to learn how Baker Tilly specialists can help – please contact us.