In August 2023, a draft of version 2 of the globally respected NIST cybersecurity framework was released for public review.
This draft includes the addition of a sixth function called Govern, within which are six Categories including ‘Cybersecurity Supply Chain Risk Management’.
This new Category, referred to as GV.SC outlines the processes an organisation should have in place to monitor and manage their exposure to cybersecurity risks among their suppliers. The impacts of these risks data breaches, operational disruption and outright fraud.
Darkbeam’s Supplier Cyber Risk Management capabilities can be mapped directly onto these specifications within the draft update to the NIST cybersecurity framework, allowing organisations to demonstrate globally recognised best practices for protecting themselves, their employees, their clients and their shareholders against the cybersecurity risks exposed through their suppliers.
Improve your supplier cyber risk management
Darkbeam's experienced team have managed third-party risks for everything from regional police forces to one of the largest companies in the world. Speak to us about efficiently aligning your supplier cyber risk management processes with internationally recognised frameworks.
The final version of this updated framework is due to be released early 2024, at which point it will become the gold-standard to which companies align their cyber risk management processes globally.
Whilst supply chain risk is only one category of the framework, it is critical in protecting organisations from data theft, operational disruption and fraudulent activity. Typically, it remains unaddressed (only 13% of UK companies manage their supply chain cyber risks) because doing so is perceived as expensive and time-consuming.
Darkbeam bypasses these road-blocks through cost-effective automation at scale, supported by an optional Embedded Capability provided by seasoned third-party cybersecurity experts.
Whilst the framework is currently in draft and therefore subject to change, the below indicates how Darkbeam helps organisations to align to each point of the Cybersecurity Supply Chain Risk Management category.
NIST Category: Governance - Cybersecurity Supply Chain Risk Management
|GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders (formerly ID.SC-01)
|Darkbeam provides a centralised hub for cybersecurity supply chain risk management within an organisation, aligning risk visibility across all stakeholders, allowing them to agree on - and monitor - relevant measures of success
|GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally (formerly ID.AM-06)
|All relevant stakeholders, including suppliers, can access their Darkbeam reports; allowing them to take responsibility for addressing issues with informed oversight and auditable controls
|GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes (formerly ID.SC-02)
|Darkbeam integrates with partner platforms and our data is also available via API, allowing cybersecurity supply chain risks to be viewed alongside other enterprise risks. Meanwhile, detailed explanations of cybersecurity risk factors allow improvement processes to be developed and implemented based on real-world risk data
|GV.SC-04: Suppliers are known and prioritized by criticality
|Darkbeam's team are highly experienced in helping organisations to identify suppliers – even within their shadow spend. Our in-house Threat Analysts regularly support clients in prioritising suppliers by criticality, allowing clients to use their resources to address the most critical risks while maintaining a complete view of their overall supplier cyber risk exposure
|GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties (formerly ID.SC-03)
|Through automated, continuous monitoring and an optional Embedded Capability, Darkbeam helps clients to include and enforce cybersecurity standards within supplier agreements efficiently at scale
|GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
|Any potential supplier can be assessed in seconds for cyber vulnerabilities before or during negotiations. Suppliers can also be compared, making cybersecurity risk a viable, consistent factor in supplier selection. For critical suppliers, Darkbeam's services can include additional OSINT analysis and in-depth reporting for prospective suppliers
|GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship (formerly ID.SC-02, ID.SC-04)
Darkbeam helps organisations to understand the risks posed by, threats against and impact associated with any supplier in a cybersecurity context. Detailed, actionable insights into specific vulnerabilities within suppliers help form the basis for targeted action plans that ensure all suppliers meet your organisation's high standards
|GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities (formerly ID.SC-05)
|Darkbeam's comprehensive services include Supplier Incident Response support, helping to engage suppliers in a targeted response to any incidents which could impact your data security, operational efficiency or financial interests. All suppliers have access to their own Darkbeam vulnerability report to enable continuous management of vulnerabilities before an incident occurs
|GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
|As well as our standalone platform, Dearkbeam integrates with several wider Risk Management solutions, providing Supplier Cyber Risk Management data alongside and in the context of other risks. All suppliers are automatically monitored and reassessed regularly
|GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
|Not only can suppliers continue to be monitored by Darkbeam after the conclusion of a contract, but your organisation can also benefit from deep & dark web monitoring, meaning that subsequent adverse activity is detected and addressed without relying upon former suppliers to alert you of incidents
Our team are very happy to answer questions regarding how Darkbeam can help your organisation to align supplier cyber risk management efforts with established frameworks such as that provided by NIST. For more information, please contact us using the form below, or by calling +44 (0)30 3833 0348.