The UK\u2019s National Cyber Security Centre (NCSC) has published new supply chain mapping (SCM) guidance to help medium to large UK organisations gain confidence or assurance that mitigations are in place for vulnerabilities associated with working with suppliers to address a variety of associated cyber risks. The guidance follows previous NCSC advice for assessing supply chain cybersecurity as supply chain threats and challenges continue to impact organisations across sectors.Supply chain mapping and its security benefitsSCM is the process of recording, storing, and using information gathered from suppliers who are involved in a company\u2019s supply chain, with the goal of having an up-to-date understanding of network of supplier so that cyber risks can be managed more effectively and due diligence carried out, wrote the NCSC in a post on its website. \u201cMany organisations rely upon suppliers to deliver products, systems, and services. Supply chains are often large and complex, and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. This makes it difficult to know if you have enough protection across the entire supply chain,\u201d it added.The security and risk management benefits of SCM include:Better insight into the cybersecurity considerations that could be more easily enforced via contractsBetter preparation for responding to supply chain related cyber incidentsThe ability to establish repeatable methods so you have confidence in suppliers\u2019 security practices, and can build long-term partnershipsEasier compliance with legal, regulatory and or contractual responsibilitiesAssessment of the supply chain to reduce the likelihood of a cyberattack or breachEffective SCM should include a range of information stored in a centralised repository that\u2019s access controlled so it\u2019s easier to analyse and maintain, according to the NCSC. Typical information that may be of use includes:A full inventory of suppliers and their subcontractors, showing how they are connectedWhat product or service is being provided, by whom, and the importance of that asset to your organisationThe information flows between your organisation and a supplier (including an understanding of the value of that information)Assurance contacts within the supplying organisationInformation relating to the completeness of the last assessment, details of when the next assurance assessment is due, and any outstanding activitiesProof of any certifications required, such as Cyber Essentials, ISO certification, product certification\u201cInformation about existing suppliers may already exist in your procurements systems. If there are multiple entry points for suppliers, relevant information will need to be aggregated,\u201d the NCSC wrote. Depending on the size of your organisation, it might be beneficial to consider commercial tools which can:Reconcile existing supply chain informationHelp to keep information about supplier assurance up-to-dateMonitor supply chains beyond the initial tier, and identify concentration risk with contractors and sub-contractorsMake it easier to connect with, interact and visualise your supply chainThe guidance also provides advice on dealing with subcontractors in the supply chain along with the terms that should be considered for contracts with suppliers and subcontractors.How to approach supply chain mapping for your businessAn organisation\u2019s approach to SCM will depend on their procurement and risk management processes as well as the tooling available to them, the NCSC stated. However, the following is a top-level set of priorities for organisations approaching SCM for the first time, it added:Use existing stores, such as procurement systems, to build a list of known suppliers. Prioritise suppliers, systems, products and services that are critical to your organisation.Decide what information would be useful to capture about your supply chain.Understand how you will store the information securely and manage access to it.Establish whether you want to collect information about your suppliers\u2019 subcontractors.Consider using additional services which evaluate your suppliers and provide supplementary information about their cyber risk profile.For new suppliers, state upfront within your procurement process what you expect your suppliers to provide. For existing suppliers, inform them what information you want to capture about them and why, and retrofit information collected from existing suppliers into a centralised repository.Update standard contract clauses to ensure the information required is provided as standard when initiating working with a supplier.Define who is best placed in your organisation to use this information.Consider creating a playbook to deal with situations where an incident occurs and you may need to co-ordinate effort across both the extended supply chain, and third parties such as law enforcement, regulators and even customers.Document the steps that will need to change within your procurement process as a result of supply chain mapping.Research from Sonatype published in October 2022 found that the number of documented supply chain attacks involving malicious third-party components increased 633% over the course of the previous year, with data indicating that supply chain attacks have become more diversified.