The recent rise in supply chain attacks has placed supply chain security high on the agenda of decision-makers across all industries.
The UK National Cybersecurity Centre (NCSC) launched a list of recommendations on 16 February to help medium and large enterprises ‘map’ their supply chain dependencies in order to better anticipate the cyber risks coming from their contractors and subcontractors.
Supply chain mapping (SCM), NCSC argued, is aimed at understanding who the suppliers are, what they provide and how. It’s a first step towards supporting your suppliers to repeat your security practices and potentially enforcing new security policies via contracts. It will also support security compliance and allow organizations to mitigate the risk of a cyber-attack or breach.
In the guidance, NCSC listed some elements that must be included in an SCM list:
- A full inventory of suppliers and their subcontractors, showing how they are connected to each other
- What product or service is being provided, by whom, and the importance of that asset to your organization
- The information flows between your organization and a supplier (including an understanding of the value of that information)
- Assurance contacts within the supplying organization
- Information relating to the completeness of the last assessment, details of when the next assurance assessment is due, and any outstanding activities
- Proof of any certifications required, such as Cyber Essentials, ISO certification, product certification
Since this is critical information, it should be stored securely, NCSC added.
The advisory also provides “a top-level set of priorities to get started with SCM for organizations approaching it for the first time.”
These recommendations are listed as follows:
- Use existing stores, such as procurement systems, to build a list of known suppliers. Prioritise suppliers, systems, products and services that are critical to your organization.
- Decide what information would be useful to capture about your supply chain.
- Understand how you will store the information securely and manage access to it.
- Establish whether you want to collect information about your suppliers’ subcontractors, how far down the chain is useful to go. Consider using additional services which evaluate your suppliers and provide supplementary information about their cyber risk profile. For new suppliers, state upfront within your procurement process what you expect your suppliers to provide. For existing suppliers, inform them what information you want to capture about them and why, and retrofit information collected from existing suppliers into a centralized repository.
- Update standard contract clauses to ensure the information required is provided as standard when initiating working with a supplier.
- Define who is best placed in your organization to use this information; this might include procurement, business owners, cyber security and operational security teams. Make them aware of the information store and provide access.
- Consider creating a playbook to deal with situations where an incident occurs and you may need to coordinate effort across both the extended supply chain, and third parties such as law enforcement, regulators and even customers. A useful Supply Chain scenario can be found in the NCSC Exercise in a box service.
- Finally, document the steps that will need to change within your procurement process as a result of supply chain mapping. For example, you may need to consider excluding suppliers who cannot satisfactorily demonstrate that they meet your minimum cyber security needs.
NCSC also listed existing tools to help organizations map their supply chain and what security conditions should be considered when signing contracts with suppliers.