UK NCSC supply chain mapping guidance to help tackle supplier security risks

The UK’s National Cyber Security Centre (NCSC) has published new supply chain mapping (SCM) guidance to help medium to large UK organisations gain confidence or assurance that mitigations are in place for vulnerabilities associated with working with suppliers to address a variety of associated cyber risks. The guidance follows previous NCSC advice for assessing supply chain cybersecurity as supply chain threats and challenges continue to impact organisations across sectors.

Supply chain mapping and its security benefits

SCM is the process of recording, storing, and using information gathered from suppliers who are involved in a company’s supply chain, with the goal of having an up-to-date understanding of network of supplier so that cyber risks can be managed more effectively and due diligence carried out, wrote the NCSC in a post on its website. “Many organisations rely upon suppliers to deliver products, systems, and services. Supply chains are often large and complex, and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. This makes it difficult to know if you have enough protection across the entire supply chain,” it added.

The security and risk management benefits of SCM include:

• Better insight into the cybersecurity considerations that could be more easily enforced via contracts
• Better preparation for responding to supply chain related cyber incidents
• The ability to establish repeatable methods so you have confidence in suppliers’ security practices, and can build long-term partnerships
• Easier compliance with legal, regulatory and or contractual responsibilities
• Assessment of the supply chain to reduce the likelihood of a cyberattack or breach

Effective SCM should include a range of information stored in a centralised repository that’s access controlled so it’s easier to analyse and maintain, according to the NCSC. Typical information that may be of use includes:

• A full inventory of suppliers and their subcontractors, showing how they are connected
• What product or service is being provided, by whom, and the importance of that asset to your organisation
• The information flows between your organisation and a supplier (including an understanding of the value of that information)
• Assurance contacts within the supplying organisation
• Information relating to the completeness of the last assessment, details of when the next assurance assessment is due, and any outstanding activities
• Proof of any certifications required, such as Cyber Essentials, ISO certification, product certification

“Information about existing suppliers may already exist in your procurements systems. If there are multiple entry points for suppliers, relevant information will need to be aggregated,” the NCSC wrote. Depending on the size of your organisation, it might be beneficial to consider commercial tools which can:

• Reconcile existing supply chain information
• Help to keep information about supplier assurance up-to-date
• Monitor supply chains beyond the initial tier, and identify concentration risk with contractors and sub-contractors
• Make it easier to connect with, interact and visualise your supply chain

The guidance also provides advice on dealing with subcontractors in the supply chain along with the terms that should be considered for contracts with suppliers and subcontractors.

How to approach supply chain mapping for your business

An organisation’s approach to SCM will depend on their procurement and risk management processes as well as the tooling available to them, the NCSC stated. However, the following is a top-level set of priorities for organisations approaching SCM for the first time, it added:

• Use existing stores, such as procurement systems, to build a list of known suppliers. Prioritise suppliers, systems, products and services that are critical to your organisation.
• Decide what information would be useful to capture about your supply chain.
• Understand how you will store the information securely and manage access to it.
• Establish whether you want to collect information about your suppliers’ subcontractors.
• Consider using additional services which evaluate your suppliers and provide supplementary information about their cyber risk profile.
• For new suppliers, state upfront within your procurement process what you expect your suppliers to provide. For existing suppliers, inform them what information you want to capture about them and why, and retrofit information collected from existing suppliers into a centralised repository.
• Update standard contract clauses to ensure the information required is provided as standard when initiating working with a supplier.
• Define who is best placed in your organisation to use this information.
• Consider creating a playbook to deal with situations where an incident occurs and you may need to co-ordinate effort across both the extended supply chain, and third parties such as law enforcement, regulators and even customers.
• Document the steps that will need to change within your procurement process as a result of supply chain mapping.

Research from Sonatype published in October 2022 found that the number of documented supply chain attacks involving malicious third-party components increased 633% over the course of the previous year, with data indicating that supply chain attacks have become more diversified.