[UPDATE March 8, 2025: Due to recent events I have decided to withdraw my request to have a SCRM implementers panel at the March 20 FERC SCRM meeting and my talk proposal for OWASP Boston]
[UPDATE March 14, 2025 After viewing the Agenda for this meeting I've decided to cancel my flights to attend the FERC SCRM meeting on March 20 and will watch from home, writing my observations from the meeting in an Energy Central article. This meeting comes at an important juncture that will decide the future direction of the cybersecurity community and harmonized cybersecurity regulations, "Frat House" or "Club House", #42, culture will be up for debate, IMO. This meeting is the canary in the coal mine moment for harmonized cybersecurity standards across critical infrastructure, IMO. Safe travels to all that attend the FERC meeting and Happy St. Paddy's Day, Slainte]
I'm hoping to assemble a panel of SCRM implementers with "ground truth" experience, including SBOM and CISA KEV's. Have reached out to FERC about having an implementers panel and am awaiting word.
Take notice that staff of the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation will hold a joint workshop on March 20, 2025, from 1:00 PM to 5:00 PM at the Federal Energy Regulatory Commission, 888 First Street, NE, Washington, DC 20426.Â
The workshop will focus on the “assessment” aspect of supply chain risk management (SCRM). Specifically, the workshop panels will discuss the proposed directive in the Commission’s September 19, 2024 Notice of Proposed Rulemaking[1] to require that entities establish steps in SCRM plans to validate the completeness and accuracy of information received from vendors during the procurement process to better inform the identification and assessment of supply chain risks associated with vendors’ software, hardware, or services. Â
Some people have raised some really good questions, which I will attempt to answer here, based on my experiences implementing Cyber Supply Chain Risk Management practices since 2018 to support FERC Order 850.
Q1: What are the steps to "validate the completeness and accuracy of information received from vendors during the procurement process":
A1: SCRM best practices supplied by "NIST Guidance", per OMB M-22-18 and NIST SP 800-161r1, and CISA Secure Software Acquisition Guide suggest that consumers apply risk assessment functions to examine vendor viability, integrity, trustworthiness and foreign ownership, influence and control. Similar risk assessment functions also apply to vendor software development and manufacturing practices, support and trustworthiness for products available to consumers. This requires that a vendor/supplier provide a customer, or prospective customer with "specific attestation information" needed to perform these detailed risk assessment functions and frequently includes Financial and Ownership attestations, Cybersecurity Practices Attestations, Employee hiring, retention practices and ongoing educational activities and the locations where products are developed and manufactured to ensure that secure, trustworthy products are created, distributed and supported.Â
Product level attestations are also required to be supplied to customers and prospective customers, including SBOM's, HBOM's, Vulnerability Disclosure Reports (VDR), Security Advisories (SA), Coordinated Vulnerability Disclosure (CVD) practices, Secure Software Development Life Cycle (SDLC) practices and controls used during product development, manufacturing, distribution and support practices including End of Life plans and cybersecurity protections applied to the development, manufacturing, testing and distribution environments and processes. The combined set of attestations for vendor and product risk assessments must be supplied to a consumer in order to perform a comprehensive risk assessment resulting in a "Product Trust Score" that factors in all of the attestation materials and risk analysis performed. A Vendor Response File provides access to these attestation artifacts.
The software industry has also announced support for new legislation requiring Federal Contractors to implement NIST Vulnerability Disclosure Reporting practices.
Completeness of these attestations is defined by the consumer. Vendors are expected to provide the complete set of attestation materials required by the Consumer, a Vendor Response File (VRF) may be used for this purpose. Consumers are expected to perform a comprehensive risk assessment and "integrity check validation" based on the attestation materials provided and any additional information that the consumer may receive from a vendor. The US Coast Guard is planning to maintain a "Trust Registry" of approved products that can be installed in US Coast Guard IT and OT systems on land and sea. A Trust Registry is a very effective and efficient method to share product risk assessment results across US Government Agencies, critical infrastructure sectors and the public. NASA also provides vendors with detailed instructions to complete the NASA SCRM risk assessment process.
In summary, completeness expectations are defined by the consumer, usually in the form of specific attestation material requirements. Validation is performed by the Consumer using their own risk profile and expectations for integrity, trustworthiness and overall vendor and product longevity and viability using the attestation materials provided by a vendor. Corroborating evidence is frequently used during validation activities.
[1] Supply Chain Risk Management Reliability Standards Revisions, Notice of Proposed Rulemaking, 188 FERC ¶ 61,174 (2024).