CRS Issues Primer on Cybersecurity Supply Chain Risk Management

The Congressional Research Service reviewed how cybersecurity risk is managed in supply chains and proposed areas for legislative action.

In the primer, CRS cites the National Institute of Standards and Technology's ("NIST") definition of cyber supply chain risk management ("C-SCRM") as "the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of [IT] product and service supply chains." This definition of C-SCRM underscores that such risks are ongoing activities surrounding both hardware and software usage, and potential attackers may seek to "mass-compromise technology" or seek a selective common vulnerability.

CRS stated that cyber supply chain risk management counters (i) malicious threat actors, (ii) threat actors' motivations, and (iii) the ways threat actors might compromise technology. CRS stated that identified risk profiles (e.g., risk tolerance, resource allocations, vulnerabilities, threats, etc.) and corresponding risk management practices are unique from one entity or sector to another. Countries that have been identified as potential risks include Russia, China, Iran and North Korea. Other threat actors mentioned in the report include intelligence services, insiders and criminals.

As possible areas for legislative action, CRS recommended that Congress consider:

• creating "specific responsibilities for federal or national supply chain security and assign those responsibilities across agencies or to a single federal entity";
• using its oversight authority to ask federal agencies and regulated sectors about their C-SCRM programs;
• potentially banning certain products to limit risk exposure; and
• assigning a single federal agency to evaluate IT risks for all other agencies, maximizing "shared service" benefits including improving consistency while minimizing expenses and management.