The National Institute of Standards and Technology (NIST) has awarded $200,000 to the Supply Chain Management Center (SCMC) at the Robert H. Smith School of Business for research and development of enterprise tools and technologies for managing risk in the cyber supply chain.
The award is the fourth phase of a multi-year research project by the SCMC to develop a “cyber supply chain risk management portal” supporting NIST’s mission as the cybersecurity standards and policymaking arm of the federal government. President Obama’s recent executive order on cybersecurity specifically charged NIST with developing integrated risk frameworks to protect the nation’s IT systems.
“We will be completing a portal that contains functionalities for companies and governmental organizations to map their IT supply chains; and to benchmark themselves against best practices in managing risk and security across the multiple technical and managerial dimensions of those chains,” said Sandor Boyson, principal investigator and SCMC founding co-director. “The result will be a clearinghouse, via a highly secure website, to provide private sector and federal, state or local entities with opportunities to understand their positions within a well-defined enterprise capability/maturity model.”
The portal could evolve into a dynamic, third-party information sharing site that accommodates feedback from industry and government participants, added Boyson, whose Smith School co-investigators are Thomas Corsi, the Michelle Smith Professor of Logistics and Supply Chain Management Center co-director; Hart Rossman, a senior research fellow for the center; and Holly Mann, Smith's director of information technology, who serves as the applications architect for the NIST-funded research.
Initially, the Smith team surveyed 200 companies to model an ICT supply chain and create a profile of vendors’ supply chain risk management capabilities. This involved an examination of both defense in breadth (the whole business ecosystem of system acquirers, integrators, suppliers and their key shared processes);and defense in depth(risk governance; systems lifecycle management; and operations management). The researchers used the model to evaluate more than 60 IT networking and system integration initiatives in both industry and government.
“Our research shows the cyber supply chain is as fragmented and stove piped today as the physical product supply chain was in the early to mid-1990s,” Boyson said. “On the strategic side of risk management, just half of the 200 companies we surveyed use a risk board or other executive mechanisms to govern IT systems’ risks.”
Moreover, many companies do not address the need for automated business rules and sensor-driven responses, said Boyson. “In other words, they cannot sense and respond to risks in real time.”
“Given the intensifying cyber threats to our nation, the majority of survey group participants have expressed an urgent need for a public/private partnership to speed up the development of a knowledge base and a set of effective practices to defend IT supply chains,” said Boyson.
The cyber supply chain portal is scheduled for completion in February 2014, with Jon Boyens of NIST’s Information Technology Lab serving as the designated government lead on the project.
Read a comprehensive report on the project at http://csrc.nist.gov/scrm/documents/umd_ict_scrm_initiatives-report2-1.pdf.