Supply chain risk assessments

A supply chain risk assessment allows a capability to understand the cyber risk within the supply chain.

It also allows them to create a mitigation plan to make sure risks remain within the defined risk appetite.

Risk assessment should be introduced through the supply chain, throughout procurement and in all contractual arrangements.

To begin addressing these risks, at a minimum, contracts with suppliers should include:

• through-life security requirements, including transfer of data at contract end
• clear acceptance criteria for delivery
• evidence and documentation requirements
• special information handling conditions
• DEFCON 658
• rights to allow the MOD to terminate the contract in the event of a breach (for example, DEFCON 514)
• penalties, recovery and remedial actions to be applied in the event of a security breach

Capabilities should review JSP 440 Leaflet 4J (Supply Chain Cyber Risk Management), alongside guidance from the NCSC (Assessing supply chain security), or NIST SP 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations).

Capabilities should also refer to the MOD’s Cyber Security Model for guidance on the standards which suppliers must meet.

Benefits

Benefits of carrying out a supply chain risk assessment provide:

• visibility of supply chain risks
• identified risks are being appropriately managed through procurement and contractual arrangements.

Outcomes

Outcomes should include:

• supply chain risk assessment
• risk mitigation plan

Responsibility

Who is responsible for supply chain risk assessments:

• Senior Responsible Owner (SRO), or suitable equivalent
• delivery team lead
• project management office (PMO)
• delivery team
• commercial officers

When to carry out supply chain risk assessments

You should carry out your risk assessments prior to procurement.

They should also be reviewed throughout procurement.