Organizations rely on their suppliers to support critical business functions and in turn these suppliers rely on third parties as well. The complex nature of these dependencies can make it difficult for an organization to quantify and mitigate the risk of a supply chain attack. The National Institute of Standards and Technology (NIST) cyber supply chain risk management program (C-SCRM) has compiled the best practices of global supply chain risk management into the recently released NIST IR-8276.
“Many recent data breaches have been linked to supply chain risks. For example, a recent highprofile attack that took place in the second half of 2018, Operation ShadowHammer,compromised an update utility used by a global computer manufacturer. The compromised software was served to users through the manufacturer’s official website and is estimated to have impacted up to a million users before it was discovered.”– NISTIR 8276