Following a continual increase in high profile cyber-attacks resulting from supply chain vulnerabilities, the United Kingdom National Cyber Security Centre (NCSC) – a part of GCHQ – has published updated guidance to help organisations effectively assess and gain confidence in the cyber security of their supply chains.
The latest guidance, issued in October 2022, is intended to help organisations implement the NCSC’s 12 supply chain security principles originally published in January 2018, noted in the illustration below (courtesy of the National Cyber Security Centre, a part of GCHQ).
The guidance is broken out into the following five stages:
This post examines the five stages in the latest NCSC guidance and identifies best practices steps to implement the guidance.
The NCSC Supply Chain Cyber Security Checklist
Download this 12-page checklist to evaluate your supplier risk management program against recommended best practices for implementing the NCSC guidance.
According to the NCSC guidance, the goal of stage 1 is to, “Gain knowledge about your own organisation’s approach to cyber security risk management.” This initial planning stage involves the following steps.
According to a recent industry study, 45% of organisations have experienced a third-party data or privacy breach in the past 12 months. Answer these key questions:
If the answer to any of these questions is “no,” then you must assess the weak points in your cyber supply chain and build a plan to mitigate those risks.
Participants can include representatives from procurement and sourcing, risk management, security and IT, legal and compliance, and data privacy teams. The reason that so many teams should be engaged as part of the supply chain cyber risk management process is that each department tends to focus on the risks that matter to them. For example:
First, establish a RACI matrix to define who in the organisation is:
Finally, gain buy-in from senior executives and the board by:
A common way to categorise risk is through a “heat map” that measures risk on two (2) axes: Likelihood of occurrence and impact to operations. Naturally, risks that rate high on both scales (e.g., the upper-right quadrant) should be prioritised higher than risks that rate lower.
Stage 2 guidance says to “Create a repeatable, consistent approach for assessing the cyber security of your suppliers.” This stage involves:
Prior to creating the supplier’s security profile, consider the inherent risks they expose the company to. Consider this framework when calculating inherent risk:
Using the insights from this inherent risk assessment, your team can automatically tier and profile suppliers; establish specific contractual clauses to enforce standards; set appropriate levels of further diligence; determine the scope of ongoing assessments; and define remediations in the case of non-compliance.
For tracking compliance with security requirements, consider standardising assessments against Cyber Essentials, ISO, or other commonly-adopted information security control frameworks.
At Stage 3, NCSC guidance recommends embedding “new security practices throughout the contract lifecycle of new suppliers, from procurement and supplier selection through to contract closure.” This involves monitoring adherence to contractual provisions and maintaining the team’s awareness of their responsibilities during the process.
This guidance requires organisations to be aware of risks at every stage of the supplier lifecycle, including:
Conduct supplier cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management, and automated evidence review capabilities.
Then, continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases. Correlate all monitoring data to assessment results and centralise in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.
In Stage 4, NCSC recommends reviewing “your existing contracts either upon renewal, or sooner where critical suppliers are concerned.” The guidance assumes some level of contract lifecycle management and managing KPIs and KRIs.
Centralise the distribution, discussion, retention and review of vendor contracts so that all applicable teams can participate in contract reviews to ensure the appropriate security clauses are included.
Key practices to consider in managing supplier contracts include:
An important part of review contracts is measuring key performance indicators (KPIs) and key risk indicators (KRIs). To enable an efficient review of contractual KPIs and KRIs, categorise them like this:
Then, be sure to tie results back to contract provisions to provide complete governance over the process.
Finally, ensure your team is fluent in understanding what type of information the board should see. This approach should enable your team to:
The final stage of the NCSC guidance says to “Periodically refine your approach as new issues emerge will reduce the likelihood of risks being introduced into your organisation via the supply chain.”
Continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: Criminal forums; of onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials; breach databases — as well as several security communities, code repositories, and vulnerability databases.
Results of assessments and continuous monitoring should be collated in a single risk register with heat map reporting that measures and categorises risks based on likelihood and impact. Develop remediation plans with recommendations that suppliers can follow to reduce residual risk. Provide a forum for suppliers to upload evidence and communicate on specific remediations with a secure audit trail for tracking remediations to a close.
NCSC requirements can help provide structure and best practices recommendations to mitigate the risks of supply chain cybersecurity attacks. Prevalent offers a central, automated platform for assessing and continuously monitoring risks in concert with your broader cybersecurity risk management programme.
For more on how Prevalent can help, visit our NCSC solutions page, download the comprehensive NCSC Supply Chain Cyber Security Checklist, or contact Prevalent today to schedule a personalised demonstration.