Today’s Department of Defense (DoD) and other U.S. federal agency supply chains are increasingly dependent on information and communications technology (ICT) and systems – including commercially-available technology, equipment with embedded processing capabilities, and globally-connected networks – and are increasingly vulnerable to threats and unwanted access to these technologies, networks, and systems. These agencies are working to mitigate the risks from ICT products and services that may contain potentially malicious functionality, be counterfeit, or be vulnerable because of poor manufacturing or development practices within their ICT supply chain. These risks have increased due to these agencies’ decreased visibility and insight into – and control over – the lifecycle of the technology they acquire, from development to integration to deployment.

To address these ever-evolving challenges, new guidance was issued in April 2015 that provides the DoD and other U.S. federal agencies guidance in identifying, assessing, and mitigating ICT supply chain risk management (SCRM) throughout their organizations. This guidance, NIST SP 800-161, describes how organizations doing business with the DoD and federal government should assess and address risks in their ICT supply chain – across processes, procedures, and practices – in order to assure the integrity, security, resilience, and quality of their products and services.

THE

GROUPspectrumADVANCING YOUR SUCCESS...

Supply Chain Risk Managementfor Federal Information and Communication Systems:Preventing, Detecting, and Mitigating Threats and Ensuring Compliance

www.spectrumgrp.com

NoncomplianceNIST SP 800-161 also provides guidance directly to federal agencies on identifying, assessing, and mitigating IT supply chain risks, and on integrating IT SCRM into federal agency risk management activities. Contractor non-compliance with these NIST guidelines, even by only its subcontractor(s), may eliminate a company during the proposal process. In addition, recent cyber events show the potential for a many risks that could disrupt companies’ abilities to supply the military with critical commodities. Globalization and the quick-turn needs of today’s federal and private-sector business make managing supply chain risks a major challenge. The DoD and other federal agencies rely on NIST SP 800-161 to identify vendor risks, strengthen procurement processes, and promote effective mitigation activities.

The SPECTRUM Group’s Supply Chain Risk Management ServicesThe SPECTRUM Group’s expert Supply Chain Risk Management (SCRM) Team offers our services under attorney-client privilege. Our team of experts not only wrote the SCRM international standards on which NIST SP 800-161 is based (the ISO 28000:2007 standard), but also have helped many large and small contractors successfully come into DoD compliance. We work with companies – under attorney-client privilege – to assess supply chain security vulnerabilities, and design risk mitigation plans that clients can implement to achieve compliance. We support clients across the five key elements critical to the development of a security management system (SMS):

NIST SP 800-161 sets forth a recommended security vulnerability assessment (SVA) process for identifying and mitigating risks in the ICT supply chain,

requiring contractors to have in place a plan to

There are 19 “families” of security control focuses for contractors to address:

Frame, Assess, Respond to, and Monitorall vulnerabilities and threats.

• Access Control• Awareness & Training• Audit & Accountability• Security Assessment

& Authorization• Configuration Management• Contingency Planning• Identification & Authentication

• Incident Response• Maintenance• Media Protection• Physical & Environmental

Protection• Planning• Program Management

• Personnel Security• Provenance• Risk Assessment• System & Services Acquisition• System & Communications

Protection• System & Information Integrity

Our team members can also help clients achieve the ISO certifications that demonstrate full NIST SP 800-161 compliance.

SecurityManagement

Policy

SecurityPlanning

Implementationand Operation

Checking andCorrective

Action

ManagementReview andContinual

Improvement