NISTIR 8272(Draft) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks

こんにちは、丸山満彦です。

NISTが　NISTIR 8272(Draft)　Impact Analysis Tool for Interdependent Cyber Supply Chain Risksの意見募集をしていますね。。。

●NIST ITL

・2020.03.13 NISTIR 8272(Draft)　Impact Analysis Tool for Interdependent Cyber Supply Chain Risks

・[PDF]  NISTIR 8272 (Draft)

サプライチェーン関係のドキュメントのみならず、ツールも充実しつつありますね。。。

-----

Table of Contents

1 Introduction

 1.1 Purposez
 1.2 Relationship to Other Publications
 1.3 Audience
 1.4 Location of files

2 Tool Overview

 2.1 Licensing
 2.2 Use Case
 2.3 Data Requirements
  2.3.1 Sample Data
 2.4 Security Advisory

3 Getting Started

 3.1 System Requirements
 3.2 Installing the Tool
 3.3 Running the Tool
 3.4 Uninstalling the Tool
 3.5 Creating CSV Files
  3.5.1 CSV File Requirements
  3.5.2 CSV File Optional Fields
 3.6 Importing CSV Files
  3.6.1 Importing Updated CSV Files
  3.6.2 Handling Import Errors
 3.7 Completing Questionnaires
  3.7.1 Using the Artificial Answer Generator

4 User Interface

 4.1 Interface Overview
 4.2 Dashboard
 4.3 Suppliers
 4.4 Products
 4.5 Projects
 4.6 Suppliers, Products, and Projects Questionnaires
 4.7 Visualizations
  4.7.1 Hierarchy
  4.7.2 Candlestick
  4.7.3 Scatterplots
 4.8 Tool Menu

5 Results

 5.1 Overview
 5.2 Significant Nodes
 5.3 Impact Scores
 5.4 Interdependence Scores
 5.5 Assurance Scores

6 Advanced Configuration

 6.1 Overview
 6.2 Question
 6.3 Question Info Text
 6.4 Weight
 6.5 Answers

References

List of Appendices

 Appendix A – Calculation
 Appendix B – Question Categories
 Appendix C – Calculation Example

 

 

 

 

 

Announcement
This draft document describes a prototype tool developed to show a possible solution for filling the gap between an organization's risk appetite and supply chain risk posture by providing a basic measurement of the potential impact of a cyber supply chain event. This tool does not represent a complete supply chain risk management solution, but is intended to be integrated into or used in concert with tools such as third-party management, enterprise resource planning, and supply chain management efforts. Comments related to additional functionality or other aspects of the tool may be used to develop future versions of the software.

Abstract
As awareness of cybersecurity supply chain risks grows among federal agencies, there is a greater need for solutions that evaluate the impacts of a supply chain-related cyber event. This can be a difficult activity, especially for those organizations with complex operational environments and supply chains. A publicly available solution to support supply chain risk analysis that specifically takes into account the potential impact of an event does not currently exist. This publication describes how to use the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool that has been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.