Supply Chain Risk Management Research

We help government and private industry manage their external dependency risks. We primarily focus on organizational relationships involving information and communications technology (ICT), also known as supply chain or third party risks.

Organizations incur potential risk to their missions and key services any time they depend on external entities for ICT. Examples of real-world issues and common concerns include:

  • breaches and incidents that involve a third party's failure to protect data, such as personally identifiable information (PII) or defense-related information
  • concerns involving the integrity of hardware and software deployed within an organization
  • malicious use of trusted third-party relationships to gain access to or harm the organization

The challenge of depending on the cybersecurity capability of third parties is broad and pervasive. Organizations that manage in siloes, or focus risk management activities on only one type of external entity or supplier, run the risk of missing important risks and of missing opportunities to manage risk more efficiently.

Our supply chain risk management approach is based on the following foundational elements:

A risk-based approach is best. Organizations should start by identifying risks and maintaining specific requirements for suppliers or vendors, and then prioritize and manage external entities accordingly.

Change occurs constantly. What really matters is an organization's ability to consistently manage risk and resilience. An organization's maturity (i.e., how well it governs and sustains external dependencies management over time) is a key predictor of success.

Draw on a well-established body of work. The Software Engineering Institute's history of helping organizations improve processes and the success of the CERT Resilience Management Model (CERT-RMM) has been employed in hundreds of assessments.

Contracts with third parties are only one component of risk management. While identifying and codifying requirements into contracts and service level agreements is very important, this step is only the first in forming the relationships most critical to an organization. Organizations must be capable of

  • building relationships with the right third parties
  • maintaining awareness of changes and vulnerabilities that may affect the external entities they rely on