Download presentation
Presentation is loading. Please wait.
Published byMorgan Marsh Modified over 9 years ago
1
KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under consideration. Make decisions about the level of acceptable supply chain risks and acceptable costs of security. Align the acquisition roadmap with the key decision points and require SCRM assessments. Example Laws, Regulations, and/or Standards: FISMA (§3544(b)(2)(C)) makes system owners accountable for information security throughout the lifecycle; FIPS 200 (3) requires minimum security standards for acquisitions; SP 800-37 (3.2) designates security selected based on the system risk; KDP-1 maps to the SDLC Initiation phase as outlined in Section 3.1 of NIST SP 800-64. KDP-2: Incorporate SCRM into Acquisition Requirements Determine the costs of supply chain security; maximize the requirements for low-cost, high-risk-reduction security measures. Comply with decisions from KDP-1. Make decisions about specific SCRM requirements (in context of KDP-1 decisions). Incorporate adequate SCRM into requirements to assure that responses address SCRM. Example Laws, Regulations, and/or Standards: SP 800-70 (4.1): designates a requirements analysis (including security requirements) before selecting an information systems product; IR 7622 (4) designates supply chain controls; KDP-2 maps to the SDLC Development/Acquisition phase, as outlined in Section 3.2 of NIST SP 800-64. KDP-3: Evaluate Proposals for SCRM Capabilities Evaluate proposals against supply chain security requirements from KDP-2. Determine the extent to which proposals satisfy SCRM-related acquisition requirements. Example Laws, Regulations, and/or Standards: SP 800-53 (SA 12): The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire ICT components; KDP-3 maps to the SDLC Development/Acquisition phase, as outlined in Section 3.2 of NIST SP 800-64. KDP-4: Incorporate Threat Assessments and Evaluate Capability to Mitigate Residual Risks Specify requirements for and incorporate threat assessments that provide the acquiring organization with information that guides the selection, with mitigations, or the elimination of proposals. Make decisions to reduce the risk that an offeror will expose the organization to ICT supply chain threats (based on KDP-3 results and threat assessments), by putting contracts, controls, and security in place that will monitor and add adequate resilience in spite of residual supply chain risk. Example Laws, Regulations, and/or Standards: SP 800-53 (SA 5): Incorporate SCRM assessments into all requirements and processes to protect acquirer mission/business practices against compromise; KDP-4 maps to the SDLC Development/Acquisition and Implementation/Assessment phases, as outlined in Sections 3.2 and 3.3 of NIST SP 800-64. KDP-5: Incorporate SCRM Measures into Overall ICT Security Ensure that metrics and information sharing protocols can identify threats with supply chain nexus. Perform acceptance testing and develop continuous certification and testing processes for maintenance, upgrades, and system augmentations. Ensure that systems acquisition and designs can be available to incident response or forensic teams investigating supply chain risks. Ensure proper disposal so that disposed items do not intentionally or inadvertently make their way back into the supply chain. Example Laws, Regulations, and/or Standards: SP 800-39 (2.1) As risks of advanced persistent threats become more pronounced, organizations establish practices for sharing information related to the system development; KDP 5 maps to the SDLC Operations and Maintenance, and Disposal phases as outlined in Sections 3.4 and 3.5 of NIST SP 800-64. … But The Risks Can Be Mitigated at Key Decision Points (KDPs) Supply Chain Risk Management (SCRM) is a decision making process that can reduce risks associated with ICT throughout the acquisition process. A lifecycle-based approach to SCRM requires risk decisions at key decision points in the acquirers’ system development and acquisition process. These KDPs are plotted on the ICT lifecycle in Figure 5 and summarized below. Each KDP addresses specific governance and operations across the lifecycle to cost-effectively manage supply chain risks. To be effective, acquirers, suppliers, service providers, and other stakeholders must share information about KDP outcomes to manage risk. Tools are created to implement these methods, reduce total lifecycle costs, and share information. Figure 5. KDPs extend consideration of SCRM concepts to earlier stages of the lifecycle to more effectively integrate systems risk and security operations RETURN ON SCRM INVESTMENT Early-in-lifecycle investments in SCRM decrease cyber risks that result from poorly/maliciously designed hardware and software, and will ultimately result in decreased expected costs of response, retrofit, and network reconstitution. Conversely, avoidance of SCRM costs in early system development stages will require more sophisticated monitoring and cyber intelligence capabilities to avoid loss of essential functions. To achieve best return on investment, SCRM activities must be embedded and aligned with overall network security strategy and operations. Software & Supply Chain Assurance 1 2345 As of Jan 2013 For more information see DHS NPPD CS&C SECIR Software & Supply Chain Assurance resources at https://buildsecurityin.us-cert.gov/swa
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.