Fundamentals of Cybersecurity Supply Chain Risk Management (C-SCRM)

Course Introduction

The Basics of Cybersecurity Supply Chain Risk Management

• What is C-SCRM
• ICT, IT, OT, and Enterprise vs Organization
• The Dimensions of SCRM
• Describing the Supply Chain of an Enterprise
• Internal C-SCRM Stakeholders

An Overview of NIST SP 800-161r1

• Name and Purpose
• Relationship to other NIST Publications
  • Cybersecurity Framework (NIST CSF)
  • Describing the NIST 800 Special Publication Series
  • SP 800-37, Revision 2: The NIST Risk Management Framework (RMF)
  • SP 800-39, Managing Information Security Risk: Organization, Mission, and
  • Information System View
  • SP 800-53, Revision 5: Security and Privacy Controls for Information Systems and Organizations
  • SP 800-53B Control Baselines for Information Systems and Organizations
  • SP 800-181, Revision 1, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework
• Design of the Publication

Integration of C- SCRM into Enterprise Risk Management

• The Enterprise Risk Management Process
• The Business Case for C-SCRM
• Cybersecurity Risks Throughout Supply Chains
• Multilevel Risk Management
  • Defining Roles and Responsibilities
  • Level 1 – Enterprise
  • Level 2 – Mission and Business Process
  • Level 3 – Operational
• C-SCRM Program Management Office (PMO)

Critical Success Factors in C-SCRM

• C-SCRM in Acquisition
• Supply Chain Information Sharing
• C-SCRM Training and Awareness
• C-SCRM Key Practices
• Capability Implementation Measurement and C-SCRM Measures
• Dedicated Resources

C-SCRM Security Controls

• Introduction and Background
• Controls Design
• C-SCRM Controls Throughout the Enterprise
  • Applying C-SCRM Controls to Acquiring
  • Considerations for Suppliers
  • Considerations for Developers and Manufacturers
  • Considerations for System Integrators
  • Considerations for External System Service Providers of Information System Services
  • Considerations for Other ICT/OT-Related Service Providers
• Selecting, Tailoring, And Implementing C-SCRM Security Controls
• C-SCRM Control Family Summaries

The Risk Exposure Framework

• Threat Scenario Description and Use Cases
• Risk Exposure Framework
  • Step 1: Create a Plan for Developing and Analyzing Threat Scenarios
  • Step 2: Characterize the Environment
  • Step 3: Develop and Select Threat Events for Analysis
  • Step 4: Conduct an Analysis Using the Risk Exposure Framework
  • Step 5: Determine C-SCRM Applicable Controls
  • Step 6: Evaluate/Feedback
• Risk Exposure Framework Example
• Risk Exposure Framework Scenarios
  • Scenario 1: Influence or Control by Foreign Governments Over Suppliers
  • Scenario 2: Telecommunications Counterfeits
  • Scenario 3: Industrial Espionage
  • Scenario 4: Malicious Code Insertion
  • Scenario 5: Unintentional Compromise
  • Scenario 6: Vulnerable Reused Components Within Systems

Course Introduction

The Basics of Cybersecurity Supply Chain Risk Management

• What is C-SCRM
• ICT, IT, OT, and Enterprise vs Organization
• The Dimensions of SCRM
• Describing the Supply Chain of an Enterprise
• Internal C-SCRM Stakeholders

An Overview of NIST SP 800-161r1

• Name and Purpose
• Relationship to other NIST Publications
  • Cybersecurity Framework (NIST CSF)
  • Describing the NIST 800 Special Publication Series
  • SP 800-37, Revision 2: The NIST Risk Management Framework (RMF)
  • SP 800-39, Managing Information Security Risk: Organization, Mission, and
  • Information System View
  • SP 800-53, Revision 5: Security and Privacy Controls for Information Systems and Organizations
  • SP 800-53B Control Baselines for Information Systems and Organizations
  • SP 800-181, Revision 1, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework
• Design of the Publication

Integration of C- SCRM into Enterprise Risk Management

• The Enterprise Risk Management Process
• The Business Case for C-SCRM
• Cybersecurity Risks Throughout Supply Chains
• Multilevel Risk Management
  • Defining Roles and Responsibilities
  • Level 1 – Enterprise
  • Level 2 – Mission and Business Process
  • Level 3 – Operational
• C-SCRM Program Management Office (PMO)

Critical Success Factors in C-SCRM

• C-SCRM in Acquisition
• Supply Chain Information Sharing
• C-SCRM Training and Awareness
• C-SCRM Key Practices
• Capability Implementation Measurement and C-SCRM Measures
• Dedicated Resources

C-SCRM Security Controls

• Introduction and Background
• Controls Design
• C-SCRM Controls Throughout the Enterprise
  • Applying C-SCRM Controls to Acquiring
  • Considerations for Suppliers
  • Considerations for Developers and Manufacturers
  • Considerations for System Integrators
  • Considerations for External System Service Providers of Information System Services
  • Considerations for Other ICT/OT-Related Service Providers
• Selecting, Tailoring, And Implementing C-SCRM Security Controls
• C-SCRM Control Family Summaries

The Risk Exposure Framework

• Threat Scenario Description and Use Cases
• Risk Exposure Framework
  • Step 1: Create a Plan for Developing and Analyzing Threat Scenarios
  • Step 2: Characterize the Environment
  • Step 3: Develop and Select Threat Events for Analysis
  • Step 4: Conduct an Analysis Using the Risk Exposure Framework
  • Step 5: Determine C-SCRM Applicable Controls
  • Step 6: Evaluate/Feedback
• Risk Exposure Framework Example
• Risk Exposure Framework Scenarios
  • Scenario 1: Influence or Control by Foreign Governments Over Suppliers
  • Scenario 2: Telecommunications Counterfeits
  • Scenario 3: Industrial Espionage
  • Scenario 4: Malicious Code Insertion
  • Scenario 5: Unintentional Compromise
  • Scenario 6: Vulnerable Reused Components Within Systems