NIST CSF Supply Chain Risk Management Guide
Quick Answer
NIST CSF 2.0 elevates supply chain risk management with a dedicated category (GV.SC) containing 10 subcategories. It requires identifying critical suppliers, establishing security requirements in contracts, assessing supplier security posture, and monitoring supply chain risks continuously.
Supply Chain Risk in NIST CSF 2.0
Supply chain cybersecurity risk is one of the most significant additions in NIST CSF 2.0. The new GV.SC (Cybersecurity Supply Chain Risk Management) category under the Govern function contains 10 subcategories — making it one of the largest categories in the entire framework. This reflects the growing threat of supply chain attacks like SolarWinds and Log4j.
Key Takeaways
- GV.SC has 10 subcategories — the largest single category in CSF 2.0
- Supply chain risk management is now a governance-level concern, not just IT
- Requires identifying critical suppliers, assessing their security, and monitoring continuously
- Contractual security requirements with suppliers are explicitly called out
- NIST SP 800-161 provides detailed C-SCRM guidance complementing the CSF
GV.SC Subcategories
| ID | Subcategory | Key Focus |
|---|---|---|
| GV.SC-01 | Supply chain risk management program | Establish a formal C-SCRM program with policy and procedures |
| GV.SC-02 | Roles and responsibilities | Define roles for supply chain risk identification and management |
| GV.SC-03 | Integration into enterprise risk | Integrate supply chain risks into enterprise risk management |
| GV.SC-04 | Supplier identification and prioritization | Know your critical suppliers and prioritize by risk |
| GV.SC-05 | Requirements in agreements | Include cybersecurity requirements in supplier contracts |
| GV.SC-06 | Due diligence | Assess supplier cybersecurity practices before and during engagement |
| GV.SC-07 | Supply chain risk response | Respond to identified supply chain risks appropriately |
| GV.SC-08 | Post-engagement activities | Manage risks when supplier relationships end |
| GV.SC-09 | Supply chain monitoring | Monitor suppliers for security changes and incidents |
| GV.SC-10 | Sub-tier supplier management | Address risks from suppliers' suppliers (cascading risk) |
Building a Supply Chain Risk Program
C-SCRM Implementation Steps
Inventory your suppliers
Create a comprehensive list of all suppliers, service providers, and third parties that interact with your systems or data. Include SaaS tools, cloud providers, contractors, and open-source components.
Classify by criticality and risk
Rate each supplier based on access to sensitive data, criticality to operations, and replacement difficulty. Focus your deepest assessment on the highest-risk suppliers.
Establish security requirements
Define minimum security standards for suppliers based on their risk tier. Include requirements in contracts (encryption, access controls, incident notification, audit rights).
Assess supplier security
Conduct security assessments of critical suppliers. Methods range from questionnaires (SIG, CAIQ) for lower-risk suppliers to on-site audits for critical ones.
Monitor continuously
Implement ongoing monitoring of supplier security posture using security rating services, breach notification monitoring, and periodic re-assessment.
Plan for incidents and offboarding
Establish procedures for supplier security incidents (notification requirements, response coordination) and secure offboarding when relationships end (data return/destruction, access revocation).
Supplier Assessment Methods
| Risk Tier | Assessment Method | Frequency | Typical Cost |
|---|---|---|---|
| Critical | Detailed questionnaire + evidence review + on-site audit | Annually | $5,000-$20,000 per supplier |
| High | Detailed questionnaire + evidence review | Annually | $2,000-$5,000 per supplier |
| Medium | Standard questionnaire (SIG, CAIQ) | Annually | $500-$2,000 per supplier |
| Low | Security rating service + basic questionnaire | Annually | $100-$500 per supplier |
| All tiers | Continuous monitoring (security ratings, breach alerts) | Ongoing | $1,000-$10,000/year for platform |
Contractual Security Requirements
Supplier Contract Security Clauses
- Data encryption requirements (at rest and in transit)
- Access control and authentication standards (MFA required)
- Incident notification requirements (timeframe and contact details)
- Right to audit or assess supplier security practices
- Data handling, retention, and destruction requirements
- Subcontractor/sub-processor management requirements
- Business continuity and disaster recovery commitments
- Compliance requirements (SOC 2, ISO 27001, or equivalent)
- Vulnerability management and patching commitments
- Data return or destruction upon contract termination
⚠️ Do not forget open source
Open-source software components are part of your supply chain. The Log4j vulnerability demonstrated the risk of unmanaged open-source dependencies. Maintain a Software Bill of Materials (SBOM), monitor for vulnerabilities, and have a process for rapid patching of open-source components.
How many suppliers should I assess?
At minimum, assess all critical and high-risk suppliers (those with access to sensitive data or critical to operations). For most organizations, this is 10-30 suppliers. Lower-risk suppliers can be assessed using lighter-weight methods like security rating services.
What questionnaire should I use for supplier assessment?
The SIG (Standardized Information Gathering) questionnaire and CAIQ (Consensus Assessment Initiative Questionnaire for cloud services) are the most widely accepted. Many organizations create tiered questionnaires — detailed for high-risk suppliers, brief for lower-risk.
How do security rating services help?
Services like SecurityScorecard, BitSight, and UpGuard provide continuous external monitoring of supplier security posture based on publicly observable data (exposed services, email security, patch levels). They provide a low-cost way to monitor all suppliers and identify deteriorating security.
What about fourth-party risk (suppliers of suppliers)?
GV.SC-10 specifically addresses sub-tier supplier management. While you cannot assess your suppliers' suppliers directly, you should require critical suppliers to have their own supply chain risk management programs. Include this requirement in contracts.
Find Supply Chain Risk Tools
Compare third-party risk management platforms, security rating services, and vendor assessment tools.
Browse TPRM Tools