TERRY ROBERTS

In the digital age, supply chain risk due to the significant use of information and operational technology vendors and service contractors has dramatically expanded the threat landscape for all businesses and organizations, making the protection of their reputation and revenue far more complex. Today we call this cyber supply chain risk management, or C-SCRM—a much-needed discipline, practice, and body of knowledge, of ever-increasing focus and emphasis in our interconnected world. C-SCRM is challenging for even top security and risk managers not to mention executive teams and boards of directors.

What Does C-SCRM Encompass?

In exploring C-SCRM, let's start with the NIST definition:¹

“Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.”

That is a very detailed definition. Let's break it down bit by bit.

What does “cyber supply chain risk management” mean? In this context, cyber means everything that is interconnected; all information technology and operational technology ...