What is supply chain risk management under CPCSC?

Answer

Supply chain risk management addresses security risks from external suppliers and vendors accessing organizational systems or specified information.

Modern organizations depend on complex supply chains involving dozens or hundreds of third parties, each potentially introducing security risks. CPCSC recognizes supply chain security as critical and includes specific requirements for assessing and managing supply chain risks.

Understanding these requirements helps executives develop comprehensive third-party risk management programs that protect specified information throughout the supply chain.

Why Supply Chain Security Matters

Supply chain attacks are increasingly common and damaging. High-profile incidents like SolarWinds, where adversaries compromised a software vendor and inserted malicious code into updates distributed to thousands of customers, demonstrate how attackers exploit trusted vendor relationships to reach ultimate targets.

Target's breach through HVAC contractor credentials, Home Depot's breach through vendor remote access, and numerous other incidents show attackers routinely target weaker suppliers as paths to better-defended primary targets.

For defense contractors handling specified information, supply chain risks are particularly acute because adversaries specifically target defense supply chains to access military information, weapon system details, and classified data.

The following risks are common in supply chains:

• Suppliers might have weak security, creating entry points to your systems
• Software vendors might inadvertently include vulnerabilities or could be compromised to distribute malicious updates
• Subcontractors might mishandle specified information they access
• Cloud service providers' security failures could expose your data

Without supply chain risk management, your security is only as strong as your weakest supplier, regardless of your own security investments.

ITSP.10.171 Supply Chain Requirements

The Supply Chain Risk Management family in ITSP.10.171 includes several requirements:

• Organizations must conduct cyber security supply chain risk assessments when acquiring systems or services that will handle specified information
• Identify potential suppliers and assess their security capabilities
• Document risks introduced by each supplier and determine whether risks are acceptable or require mitigation
• Establish security requirements for suppliers proportional to the risk they present
• Flow down ITSP.10.171 requirements to subcontractors who will handle specified information
• Implement processes to track, review, and approve changes to systems or services provided by suppliers
• Monitor supply chain risks throughout vendor relationships, not just at initial selection
• Require suppliers to document security implementations and provide evidence of compliance

The intent is that security requirements flow through supply chains. If your customer requires CPCSC compliance from you, and you use subcontractors who access specified information, those subcontractors must also satisfy requirements.

This creates cascading security obligations throughout defense supply chains, raising security posture industry-wide.

Supplier Risk Assessment

Organizations must assess security risks posed by each supplier. Categorize suppliers based on risk level considering the following factors:

• Whether supplier will access specified information directly
• Whether supplier provides critical services whose failure impacts security
• Whether supplier has administrative access to your systems
• Whether supplier provides software or hardware that becomes part of your environment

High-risk suppliers (those accessing specified information, providing critical security services, or having elevated access) require thorough assessment. Assessment activities include the following:

• Security questionnaires covering supplier security practices across all ITSP.10.171 families
• Documentation review of supplier security policies, procedures, and certifications
• On-site or virtual assessments evaluating supplier security implementations directly
• Reference checks with other organizations using the supplier
• Financial stability assessment since supplier business failure creates security and availability risks

Document assessment findings including identified risks, risk ratings, and whether supplier is approved. For highest-risk suppliers handling very sensitive specified information, consider requiring suppliers obtain their own CPCSC certification or equivalent third-party security validation.

Supplier Contract Requirements

Supplier agreements must address security obligations explicitly. The following elements should be included:

• Security specifications should incorporate ITSP.10.171 requirements applicable to supplier's role, either through specific contract clauses or by reference to the standard
• Data protection obligations specify how supplier must protect specified information, including encryption, access controls, and physical security
• Incident notification requires supplier to promptly notify you of any security incidents affecting your information or systems
• Audit rights allow you or your assessors to audit supplier security implementations and review evidence of compliance
• Subcontracting restrictions prohibit or require approval before supplier engages subcontractors, with flow-down of security requirements to subcontractors
• Personnel security requires supplier personnel accessing specified information meet background check and training requirements
• Data return and destruction upon contract termination with verification
• Liability and indemnification for security failures

The contract should clearly allocate security responsibilities and provide remedies if supplier fails to meet obligations. Standard supplier terms often lack security provisions. Negotiate security addendums or require supplier acceptance of your security terms.

Ongoing Supplier Monitoring

Initial supplier assessment is insufficient because risks evolve over time. Organizations should implement the following monitoring activities:

• Periodic reassessment (annually or as defined by risk level) repeats security evaluation to verify supplier maintains security posture
• Continuous monitoring reviews supplier security incidents, monitors supplier's security reputation in industry, and tracks supplier financial stability
• Performance monitoring ensures supplier meets security SLAs and responds appropriately to security issues
• Security coordination through regular security meetings with high-risk suppliers, participation in supplier security reviews, and communication of emerging threats relevant to supplier services
• Incident collaboration means supplier notifies you promptly of security incidents and participates in coordinated response if incidents affect you
• Change notification requires supplier to inform you of significant changes to security implementations, personnel, subcontractors, or business arrangements that might affect risk
• Supplier security scorecards rate supplier security performance over time, informing renewal decisions

Organizations should assign third-party risk managers responsible for ongoing supplier oversight rather than treating supplier security as one-time procurement activity.

Software Supply Chain Security

Software vendors present unique risks since vulnerabilities or malicious code in commercial software affect all customers. Key security practices include:

• Software composition analysis examines what components are included in software, particularly open-source libraries that might contain vulnerabilities
• Software Bill of Materials (SBOM) documents all software components, enabling rapid identification if vulnerabilities are discovered in components
• Secure development lifecycle requirements expect software vendors to follow secure coding practices, conduct code reviews, perform security testing, and have vulnerability management processes
• Cryptographic signing of software and updates allows verification of authenticity and prevents malicious modification
• Vulnerability disclosure programs where vendors accept security research and promptly patch reported vulnerabilities demonstrate security maturity
• Patch management processes ensure vendors provide timely security updates and customers deploy them promptly

For critical software used in systems handling specified information, organizations should assess vendor development security, potentially requiring vendors complete questionnaires about secure development practices, provide evidence of security testing, and disclose known vulnerabilities.

Organizations should maintain inventories of all software and monitor for vulnerability disclosures affecting software they use.

Hardware Supply Chain Security

Hardware suppliers also present risks. Key security considerations include:

• Counterfeit hardware might have inferior quality, lack proper security features, or potentially contain malicious implants
• Supply chain provenance verification ensures hardware originates from legitimate manufacturers through authorized distribution channels
• Firmware security examines whether hardware firmware has proper cryptographic signing, secure boot capabilities, and vendor processes for firmware security updates
• Hardware component visibility through hardware bills of materials (HBOMs) documents hardware components enabling identification if security issues arise
• Procurement from trusted suppliers using established vendors with reputable security rather than unknown suppliers offering lower costs but uncertain provenance
• Physical inspection upon delivery checks for signs of tampering during shipping

For highly sensitive systems handling specified information, organizations might require hardware procured through secure supply chain programs where chain of custody is documented and hardware is shipped directly from manufacturers through secured logistics.

While hardware implants are sophisticated threats typically associated with nation-state adversaries, defense contractors represent high-value targets where such threats are more plausible than for typical commercial organizations.

Cloud and Service Provider Security

Cloud and managed service providers require particular attention since they have broad access to customer systems and data. Important security measures include:

• Provider security assessment as discussed in FAQ 29 evaluates provider security capabilities thoroughly
• Contractual security requirements flow security obligations to providers
• Access management strictly limits and monitors provider personnel access to customer systems
• Separation of duties ensures providers cannot unilaterally access customer data without logging and oversight
• Provider personnel security requires background checks and security training for provider personnel
• Continuous monitoring reviews provider security logs for suspicious activity

Many security incidents involve compromised provider access. Treating providers as extensions of your organization requiring similar security controls reduces risk.

Organizations should implement privileged access management for provider access, require multi-factor authentication, monitor provider sessions, and promptly revoke access when services end.

Small Supplier Challenges

Small and medium defense contractors often lack resources for comprehensive third-party risk management. Pragmatic approaches include:

• Risk-based assessment focusing extensive evaluation on highest-risk suppliers accessing specified information while using streamlined questionnaires for lower-risk suppliers
• Shared assessments leverage industry shared assessment platforms where multiple customers use common supplier assessments rather than each conducting independent assessments
• Simplified contracts use template security terms or addendums rather than negotiating bespoke agreements for each supplier
• Supplier self-attestation for lower-risk suppliers where they attest to meeting security requirements with periodic validation rather than thorough independent assessment
• Managed security service providers can assist with supplier security assessment if internal expertise is limited
• Industry collaboration through defense industry associations potentially enables shared supplier security assessments

Even small organizations must manage supply chain risk, but approaches can be proportional to organizational size while demonstrating reasonable due diligence.

Learn More

Additional resources are available:

• Protecting Specified Information (ITSP.10.171)
• Canadian Program for Cyber Security Certification