1 of 37

BEAD Cybersecurity and Supply Chain Risk Management Plans

Utah Broadband Center

2 of 37

BEAD Cybersecurity Risk Management Plan Requirements

3 of 37

Cybersecurity Requirements

  • Cybersecurity risk management plan must be operational (if providing service prior to grant award) or ready to be operationalized (if not yet providing service prior to grant award)
  • Plan reflects the latest version of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
  • Plan reflects the standards and controls set forth in Executive Order 14028 and specifies the security and privacy controls being implemented
  • Plan will be reevaluated and updated on a periodic basis and as events warrant
  • Plan must be submitted to UBC prior to fund allocation, and resubmitted within 30 days of any substantive changes

4 of 37

NIST Framework for Improving Critical Infrastructure Cybersecurity

  • Cybersecurity Framework Core: Taxonomy of high-level cybersecurity outcomes
  • Cybersecurity Framework Organizational Profiles: Mechanism for describing an organization’s current/target cybersecurity posture
  • Cybersecurity Framework Tiers: Characterize the rigor of an organization’s cybersecurity risk governance and management practices.

5 of 37

Cybersecurity Framework Functions

6 of 37

7 of 37

CSF Organizational Profiles

  • Current Profile: Specifies Core outcomes an organization is currently achieving (or attempting to achieve) and characterizes how or to what extent each outcome is being achieved.
  • Target Profile: Specifies desired outcomes an organization has selected and prioritized for achieving its cybersecurity risk management objectives; considers anticipated changes to the organization’s cybersecurity posture (e.g. new requirements, new technology adoption, etc.)

8 of 37

CSF Tiers

Tiers characterize the rigor of an organization’s cybersecurity risk governance and management practices, and provide context for how an organization views cybersecurity risks and the processes in place to manage those risks.

  • Tier 1: Partial
  • Tier 2: Risk Informed
  • Tier 3: Repeatable
  • Tier 4: Adaptive

9 of 37

Online Resources

10 of 37

Executive Order 14028

  • Provides guidance on improving cybersecurity for Federal Information Systems
  • Includes the following sections:
    • Removing Barriers to Sharing Threat Information
    • Modernizing Federal Government Cybersecurity
    • Enhancing Software Supply Chain Security
    • Establishing a Cyber Safety Review Board
    • Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
    • Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
    • Improving the Federal Government’s Investigative and Remediation Capabilities
    • National Security Systems

11 of 37

NIST Resources

NIST developed additional resources in response to Executive Order 14028. These resources include:

  • Identified criteria to evaluate software security
  • Identified criteria to evaluate security practices of developers and suppliers
  • Developed tools and methods to demonstrate conformance with secure practices

NIST’s resources can be accessed on their webpage.

12 of 37

Supply Chain Risk Management Plan Requirements

13 of 37

Supply Chain Risk Management Plan Requirements

  • SCRM plan must be operational (if providing service prior to grant award) or ready to be operationalized (if not yet providing service prior to grant award)
  • Plan is based on key practices discussed in NISTIR 8276 and related SCRM guidance from NIST including NIST 800-161
  • Plan will be reevaluated and updated on a periodic basis and as events warrant
  • Plan must be submitted to UBC prior to fund allocation, and resubmitted within 30 days of any substantive changes

14 of 37

NISTIR 8276

Key Practices:

  1. Integrate C-SCRM Across the Organization
  2. Establish a Formal C-SCRM Program
  3. Know and Manage Critical Suppliers
  4. Understand the Organization’s Supply Chain
  5. Closely Collaborate with Key Suppliers
  6. Include Key Suppliers in Resilience and Improvement Activities
  7. Assess and Monitor Throughout the Supplier Relationship
  8. Plan for the Full Life Cycle

15 of 37

Integrate C-SCRM Across the Organization

  • Establish a Supply Chain Risk Council with leaders in the organization
    • Review relevant risks
    • Review risk mitigation plans
    • Set priorities
    • Share best practices
    • Pilot initiatives

16 of 37

Establish a Formal C-SCRM Program

  • Ensures organizational accountability
  • Characteristics to consider:
  • Increase Executive level involvement
  • Develop clear governance of C-SCRM activities
  • Use standards-based policies and procedures
  • Use the same policies internally and with suppliers
  • Integrate cybersecurity considerations into system and product development lifecycle
  • Use cross functional teams
  • Clearly define individual roles for cybersecurity aspects of supplier relationships
  • Use success measures to facilitate decision-making, accountability, and improvement
  • Create lists of approved and banned suppliers
  • Use component inventories for third-party components

17 of 37

Establish a Formal C-SCRM Program

  • Characteristics to consider:
    • Prioritize suppliers based on their criticality
    • Establish testing procedures for critical components
    • Establish a known set of security requirements for all suppliers
    • Develop service-level agreements with suppliers that include cybersecurity requirements
    • Establish intellectual property rights agreements
    • Use shared supplier questionnaires across like organizations
    • Implement upstream security requirements to sub-tier suppliers
    • Ensure that suppliers have only the access they need (to data, capability, functionality, and infrastructure)

18 of 37

Establish a Formal C-SCRM Program

  • Characteristics to consider:
    • Use escrow services for suppliers with questionable or risky track records
    • Provide organization-wide training for all relevant stakeholders (supply chain, legal, product development, procurement, key suppliers)
    • Identify alternative sources or critical components
    • Implement secure requirements guiding disposal of hardware containing regulated data (e.g. PII)
    • Implement protocols for securely terminating supplier relationships to ensure all hardware has been properly disposed of and data leak risks have been minimized

19 of 37

Know and Manage Critical Components & Suppliers

  • Critical suppliers = suppliers whose disruption would create a negative business impact on your organization or suppliers that provide critical components for your organization’s business missions
  • Criteria to help identify critical suppliers/components:
    • Revenue contribution
    • Processes critical data or intellectual property
    • Accesses or hosts high volume of data
    • Accesses your system and network infrastructure
    • If compromised, can allow threat actors access to your organization, products, or services

20 of 37

Understand the Organization’s Supply Chain

  • Establish real-time visibility into production processes of your outsourced manufacturers
  • Capture defect rates and causes of failure
  • Gain insight into how suppliers vet their personnel, who they are outsourcing to, and who has access to your organization’s data

21 of 37

Closely Collaborate with Key Suppliers

  • Establish close relationships with suppliers
  • Maintain close working relationships through frequent visits and communications
  • Mentor and coach suppliers on C-SCRM and help suppliers improve cybersecurity and supply chain practices
  • Invest in common solutions
  • Use the same standards within organization and by suppliers to achieve uniform level of quality

22 of 37

Include Key Suppliers in Resilience & Improvement Activities

  • Develop rules and protocols to share information between organizations and suppliers
  • Engage in joint development, review, and revision of incident response, business continuity, and disaster recovery plans
  • Develop protocols to communicate vulnerabilities and incidents
  • Identify responsibilities for responding to cybersecurity incidents
  • Coordinate communication methods and protocols, as well as restoration and recovery procedures
  • Develop collaborative processes to review lessons learned and update plans

23 of 37

Assess & Monitor Throughout Supplier Relationship

  • Establish supplier monitoring programs that cover the entire relationship life cycle
  • Monitor a variety of risks, including security, privacy, quality, financial, and geopolitical risks
  • Validate that suppliers are meeting cybersecurity and other key requirements
  • Identify any changes in supplier status
  • Mitigate identified risks per mutually agreed remediation timelines
  • Assess supplier controls on a regular basis
  • Monitoring may include self-assessments, supplier attestations, third-party assessments, formal certifications, and site visits

24 of 37

Plan for the Full Life Cycle

  • Plan for unexpected interruptions to supply chain
    • Stopping support of obsolete hardware and software
    • Discontinuing production of hardware components
    • Adopting a significant change of business direction
    • Acquisition or changes in supplier ownership or management
  • Risk management practices
    • Purchasing reserve quantities of critical components
    • Establishing relationships with approved resellers
    • Bring ailing component manufacturers in-house

25 of 37

26 of 37

24 Key Recommendations

  1. Establish supply chain risk councils
  2. Create explicit collaborative roles, structures, and processes
  3. Increase Executive Board involvement in C-SCRM
  4. Integrate cybersecurity considerations into product lifecycle
  5. Clearly define roles and responsibilities for supplier relationships
  6. Use master requirement lists and SLAs to establish relationships with suppliers
  7. Propagate security requirements to sub-suppliers
  8. Train key stakeholders
  9. Terminate supplier relationships with security in mind

27 of 37

24 Key Recommendations

10. Use the Critically Analysis Process Model or BIA to determine supplier criticality

11. Establish visibility into suppliers’ production processes

12. Know if data and infrastructure are available to sub-suppliers

13. Mentor and coach suppliers to improve their cybersecurity practices

14. Require the use of the same standards within your and your suppliers’ organizations

28 of 37

24 Key Recommendations

15. Use assessment questionnaires to influence cybersecurity requirements

16. Include key suppliers in incident response, business continuity, and disaster recovery

17. Maintain a watch list of suppliers who have had issues in the past

18. Establish remediation acceptance criteria for identified risks

19. Establish cyber security requirements through a Security Exhibit, Security Schedule, or Security Addendum document

29 of 37

24 Key Recommendations

20. Establish protocols for vulnerability disclosure and incident notification

21. Establish protocols for communications with external stakeholders during incidents

22. Collaborate on lessons learned and update joint plans

23. Use third-party assessments, site visits, and formal certification to assess critical suppliers

24. Have plans in place for supplied product obsolescence

30 of 37

NIST 800-161 Introduction

  • Purpose:
    • “To provide guidance to enterprises on how to identify, assess, select, and implement risk management processes and mitigating controls across the enterprise to help manage cybersecurity risks throughout the supply chain.”
  • Guidance should be tailored to the unique circumstances of each enterprise
  • Offers a general prioritization of C-SCRM practices for enterprises to consider
  • Designed to serve diverse audiences within the enterprise, as outlined in audience profiles

31 of 37

Audience Profiles for NIST SP 800

  • Enterprise Risk Management and C-SCRM Owners and Operators
    • Responsible for enterprise risk management and cybersecurity supply chain risk management
    • Responsibilities may include:
      • Helping to develop C-SCRM policies and standards
      • Performing assessments of cybersecurity risks throughout the supply chain
      • Serving as subject matter expert for the rest of the enterprise

32 of 37

Audience Profiles for NIST SP 800

  • Enterprise, Agency, and Mission and Business Process Owners and Operators
    • Responsible for activities that create and/or manage risk within the enterprise
    • Responsibilities may include:
      • Owning risk as part of duties within mission or business process
      • Managing cybersecurity risks throughout the supply chain for the enterprise

33 of 37

Audience Profiles for NIST SP 800

  • Acquisition and Procurement Owners and Operators
    • Responsible for C-SCRM as part of procurement and acquisition functions
    • Responsibilities may include:
      • Executing C-SCRM activities in acquisition and procurement lifestyle
      • Collaborating closely with enterprise C-SCRM personnel

34 of 37

Audience Profiles for NIST SP 800

  • Information Security, Privacy, or Cybersecurity Operators
    • Responsible for protecting confidentiality, integrity, and availability of critical processes and information systems
    • Responsibilities may include:
      • Conducting cybersecurity supply chain risk assessments
      • Selecting or implementing C-SCRM controls

35 of 37

Audience Profiles for NIST SP 800

  • System Development, System Engineering, and System Implementation Personnel
    • Responsible for executing activities within an information system’s system development life cycle
    • Responsibilities may include:
      • Executing operational-level C-SCRM activities
      • Implementing C-SCRM controls to manage cybersecurity risks from products and services provided through the supply chain within their information systems

36 of 37

37 of 37