A growing practice area is ‘Supply Risk Management.’  The challenge is that there are few standards and guidelines for managing supplier risk including supplier IT risks.

US National Institute of Standards and Technology has developed a guideline, NISTIR 7622, whose purpose is:

Federal agency information systems are increasingly at risk of both intentional and unintentional supply chain compromise due to the growing sophistication of information and communications technologies (ICT) and the growing speed and scale of a complex, distributed global supply chain. Federal departments and agencies currently have neither a consistent nor comprehensive way of understanding the often opaque processes and practices used to create and deliver hardware and software products and services that are contracted out, especially beyond the prime contractor.

This lack of understanding, visibility, and control increases the risk of exploitation through a variety of means including counterfeit materials, malicious software, or untrustworthy products, and makes it increasingly difficult for federal departments and agencies to understand their exposure and manage the associated supply chain risks. Currently, federal departments and agencies and private sector integrators and suppliers use varied and nonstandard practices.

Download the guidance document by clicking: