Before engaging on a significant acquisition or development of a new solution, it is important for the organization to develop a team to consider not only discrete business or operational requirements, but also to assess risks related to the organization, considering both the authorized or unauthorized use of the solution along with operational, financial, and regulatory risks. This will most likely require the formation of a multi-disciplinary team to include Legal, Sourcing, Business, and Information Security.

• Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
• Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM)
• SP 800-53B Control Baselines
• Security and Privacy Controls for Information Systems and Organizations
• Department of Homeland Security Cyber Security Procurement Language for Control Systems
• Guide on Cybersecurity Procurement Language - Requests for Proposals for Federal Facilities
• Cybersecurity Procurement Language for Energy Delivery Systems

Cybersecurity Supply Chain Risk Management (C-SCRM) is a systematic process for managing exposures to cybersecurity risks, threats, and vulnerabilities throughout the supply chain and developing appropriate response strategies presented by the supplier, the supplied products, services, and the supply chain. Determine Qualifying Criteria. Perform Market Analysis. Models are available to assist entities identify and evaluate necessary supplier security practices. In addition, entities should consider methods to verify or certify the scope, strength, and efficacy of supplier practices..

• Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• Supplier Cyber Security Assessment Model

Entities can choose from high-level measures using structured responses to a survey of 60 security criteria, use a questionnaire of 300 questions, or choose a hybrid approach based on an assessment of risk.

• NATF Cyber Security Criteria for Suppliers
• Energy Sector questionnaire

Entities can leverage a variety of existing tools to enumerate and manage risk using contractual mechanisms. Does the supplier support SBOM? What methods will the supplier use to integrate SBOM into their development process? What methods will the entity use to incorporate SBOM information into an overall risk management program?

• Model Procurement Contract Language Addressing Cybersecurity Supply Chain Risk V2
• Best Practices in Cyber Supply Chain Risk Management

Secure Delivery, add to the ongoing vulnerability management program. Certain high-risk components may be deserving of additional controls to manage risk associated with the delivery pathway from the assembly/manufacturing facility to the purchaser. Moreover, after the products are installed and integrated into operations, the entity using the products should consider methods to identify and mitigate new (or newly discovered) vulnerabilities

• Information and guidance on the secure delivery of high-risk materials
• Building and maintaining an incident response program
• Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
• Tracking and Chain of Custody: The Differences

Ensure solution is retired/recycled in a manner to protect sensitive information/Environmentally Responsible Manner. It is helpful to consider the implications of retirement/cessation of the use of solutions. What methods will be used to neutralize sensitive PII or proprietary business information? Certain components may have sensitive operational or configuration information that should be eliminated. Entities should also consider the environmental impact of destruction/recycling options for components.

• Guide for Media Sanitization
• CISA Guide Proper Disposal of Electronic Devices