UK NCSC Launches Recommendations on Supply Chain Mapping

The recent rise in supply chain attacks has made supply chain security a key issue for decision makers in all industries.

The UK’s National Cyber ​​Security Center (NCSC) on February 16 will guide midsize and large businesses to ‘map’ their supply chain dependencies to better predict cyber risks from contractors and subcontractors. We have published a list of recommendations to help you.

According to NCSC, supply chain mapping (SCM) aims to understand who your suppliers are, what they deliver, and how. This is the first step in supporting suppliers to iterate their security practices and increase their likelihood of applying new security policies through contracts. It also supports security compliance and helps organizations reduce the risk of cyberattacks and breaches.

In the guidance, NCSC listed some elements that should be included in the SCM list.

• A complete inventory of suppliers and their subcontractors showing how they are connected to each other
• which product or service is provided by whom and the importance of that asset to the organization
• The flow of information between the organization and its suppliers (including understanding the value of that information)
• Warranty contact within the supplying organization
• completeness of previous assessments, details of upcoming assurance assessment due dates, and information on outstanding activities
• Proof of required certifications, such as Cyber ​​Essentials, ISO certification, product certification, etc.

The NCSC added that this is important information and should be kept safe.

The advisory also provides a “set of top priorities for getting started with SCM for organizations new to SCM.”

These recommendations are:

1. Use your existing store, such as your procurement system, to build a list of known suppliers. Prioritize the suppliers, systems, products and services that are important to your organization.
2. Determine what information will help you understand your supply chain.
3. Know how to keep your information safe and manage access.
4. Establish whether collecting information about the supplier’s subcontractors, how far down the chain it will be helpful. Consider using additional services that assess suppliers and provide supplemental information on their cyber risk profile. For new suppliers, state upfront what the supplier offers during the procurement process. For existing suppliers, tell them what information you want and why, and incorporate the information you collect from your existing suppliers into a centralized repository.
5. Update your standard contractual clauses to ensure that the information you need to start working with suppliers is provided as a standard.
6. Define who is best suited to use this information within your organization. This may include procurement, business owners, cyber security, and operational security teams. Make the information store aware and provide access.
7. Consider creating playbooks to handle situations where an incident occurs and requires coordination of work both with the broader supply chain and with third parties such as law enforcement, regulators, and even customers. please. A useful supply chain scenario can be found in the NCSC exercise Box Service.
8. Finally, document any steps that need to be changed within the procurement process as a result of the supply chain mapping. For example, you may want to consider excluding suppliers who cannot adequately demonstrate that they meet your minimum cybersecurity needs.

NCSC also listed existing tools to help organizations map their supply chains and security conditions to consider when signing contracts with suppliers.