Cyber attacks have raised Cyber-Supply Chain Risk Management (C-SCRM) concerns across the U.S Federal Government, helping prioritise Cybersecurity Supply Chain Risk Management (SCRM), cybersecurity risk management and focus Federal Agencies on identifying and mitigating the risks that cyber threats pose, and mitigating the impact to their systems and their supply chains.

The federal government has been working to resolve cybersecurity since the passing by Congress of FISMA in 2002, modified in 2014 and 2022. FISMA requires the adoption of the Risk Management Framework (RMF) and NIST SP 800-37 by Federal Agencies and their contractors. The RMF requires organisations to develop a C-SCRM policy and address C-SCRM goals and objectives in their strategic plans, missions, business functions, and organisational roles and responsibilities. The development of C-SCRM policies and applying risk management practices that align with both FISMA and Office of Management and Budget (OMB) A-130.

FISMA is a regulation that all Federal Agencies must adopt and apply to their supplier and down their supply chains.  It also comes with teeth, but as yet there has been little appetite to enforce compliance.  But do not be fooled, FISMA sits in the room, like the proverbial elephant no one talks about, but everyone knows it’s there.