One challenge for supply chain security practitioners is choosing which of the multitude of guidance documents and best practice frameworks to use when building a cyber supply chain risk management (C-SCRM) program. There is no touchstone in this arena; instead, we have shades and gradations of goodness and a plurality of approaches.
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), SAFECode, The East-West Institute, Critical Infrastructure Coordinating Councils, and many others have published guidance on methods to address cyber supply chain risks. But to date, there is little evidence that C-SCRM practices are effective in stopping or reducing cyberattacks.