Assessing Supply Chain Risks to Inform Risk-Response and Action
ABSTRACT
This session will provide an overview of NIST’s Cybersecurity-Supply Chain Risk Management work, with a focused discussion on the supply chain risk assessment guidance we include in our draft NIST SP 800-161, Revision 1. The talk will highlight of some of the considerations, challenges, and complexities related to performing assessments and how this information can best be used to inform risk response decisions. These decisions are central to being able to improve security and reduce risk and affect numerous activities, ranging from selection and application of system security controls, making a contract award decision, development of a sourcing strategy, or the execution of a continuity plan. Depending upon what the objective is, an assessment can be performed for strategic or operational purposes, at various points across a supply chain, or throughout the life cycle. Performing an assessment requires clarity of purpose, understanding of context, access to quality risk information inputs, and the ability to synthesize and apply the assessment findings so they are meaningful, actionable, and defendable.
BIO
Angela Smith serves as the technical lead for NIST’s Cybersecurity- Supply Chain Risk Management program in the Computer Security Division, within the Department of Commerce’s National Institute of Standards and Technology. She also represents NIST on the Federal Acquisition Security Council’s Working Group and Task Force, co-leads the Software and Supply Chain Assurance Forum as well as the recently initiated Federal C-SCRM Forum. Prior to joining NIST, Ms. Smith was a Sr. Advisor with GSA where she provided leadership in the development and implementation of GSA’s supply chain risk management program, supported CFIUS reviews, and supported various interagency and WH-led initiatives and workstreams focused on improving cybersecurity and resilience. Angela is a Certified Information Systems Security Professional, holds a Masters in Public Administration with a concentration in Information Technology policy from George Mason University, and is a veteran of the US Air Force.