Despite the fact that NIS2 is a popular topic in trade magazines, newspapers and podcasts, one of the most critical parts, the supply chain, continues to be strongly neglected. Let’s take a look at what the standard imposes on essential and important players.
What we talk about
Monitoring and managing the supply chain is not a fad, it is a critical activity because there is a dependency between the supply and the service provided by an organisation. Think, trivially, of a power failure for a very long period of time: what would happen? And yet, despite the centrality of this topic, very few organisations have moved to respond promptly to this need. A number of cases have been analysed in this portal, above all that of Jaguar-Land Rover which blocked such a huge supply chain that the British government had to intervene. In Italy, the ASST Rhodense case was discussed, and not only that, because hitting the supply chain produces a proportional damage of two elements:
- Management complexity. The more complex the supply chain, the greater the damage and repercussions on the production object (be it a product or a service).
- Management costs. The greater the complexity, the more time is required for damage management. As time increases, so do management costs, which do not always have a ‘linear’ growth but can sometimes be exponential to the damage caused to end users.
We are talking, therefore, about one of the most difficult aspects to manage which, as we shall see, requires adequate preparation starting from the early contractual stages.
NIS2: what the standard prescribes
Normally, NIS2 is juxtaposed with international standards such as ISO27001 and the CIS Critical Security Controls, but it is good to know that ACN has prescribed a series of Basic Security Measures that explicitly concern the relationship with suppliers; there are nine measures, eight of which are common for essential and important subjects, and there is only one that applies to essential subjects. Below is a table with the code of the measure, the requirement to be fulfilled and a brief description of what the obligations are.
| Code | Description | Requirement | Impacted subject |
|---|---|---|---|
| GV.SC-01 | Supply chain cybersecurity risk management processes and policies are established and accepted 1, 2. | Involvement of the IT security organisation in procurement processes from the design stage and definition of specific security requirements for supply 1, 2. Key players must assess security requirements on several detailed areas (e.g. reliability, vulnerability management, business continuity, decommissioning) 3-5. | Essential and Important |
| GV.SC-02 | The cybersecurity roles and responsibilities for suppliers and partners are established and communicated 1, 2. | Definition, internal communication and tracking (via staff inventory) of IT security roles and responsibilities assigned to third-party personnel 1, 2. | Essential and Important |
| GV.SC-04 | Suppliers are known and prioritised according to criticality 1, 2. | Maintaining an up-to-date inventory of suppliers with potential security impacts, indicating contact details and type of supply 1, 2. | Essential and Important |
| GV.SC-05 | The requirements for dealing with risks in the supply chain are incorporated in contracts 1, 2. | Subject to justified exceptions, there is an obligation to include the established security requirements in requests for tenders, invitations to tender, contracts, agreements and conventions 1, 2. | Essential and Important |
| GV.SC-07 | Risks posed by a supplier or third party are understood, assessed, dealt with and monitored 1, 2. | Documented assessment of the risk associated with supplies (examining level of access, intellectual property, impact of disruption, recovery time) and periodic verification of the supply’s compliance with contractual requirements 1, 2. | Essential and Important |
| ID.AM-04 | Inventories of services provided by suppliers 1, 2 are maintained. | Maintaining an up-to-date inventory specifically for all IT services provided by suppliers, including cloud services 1, 2. | Essential and Important |
| ID.RA-05 (Point 1) | Threats and impacts are used to understand the risk and inform the response 1, 2. | The overall cybersecurity risk assessment performed and documented by the organisation must explicitly include dependencies on third-party suppliers and partners 1, 2. | Essential and Important |
| ID.RA-08 (Point 5) | Processes are established for analysing and responding to vulnerability disclosures 1. | Obligation to constantly monitor the communication channels of suppliers of software deemed critical, in order to acquire and respond to information on new vulnerabilities 1. | Only Essentials |
It may be useful to review and reflect on some of these measures, recommending that you review official documentation to keep up-to-date. The Government (GV) and Identification (ID) measures and the supply chain (SC) risk assessment (RA) requirements will then be examined.
GV.SC-01
The involvement of the organisation in the procurement process right from the design and definition of specific security requirements for the supply is exactly what was being referred to. In a true security by design perspective, it is essential to demonstrate that the supply chain has been designed and implemented with due care, and this clearly implies that such evidence is present at the contractual level.
GV.SC-05
The measure imposes the obligation to include the established safety requirements within requests for tenders, invitations to tender, contracts, agreements and conventions. These safety requirements, however, are not only limited to the way in which criticalities are handled, but also to the management of communication flows during the incident; communication can be for training purposes, but also for information purposes, and this should not be underestimated. The importance of adequately designing supply contracts and tenders has often been emphasised here, suggesting that a contract review should be carried out with appropriate lawyers for this purpose in order to initiate a normalisation process of contracts and supply.
GV.SC-07
The creation of a supplier risk analysis that includes those posed by a supplier or third party is essential. It is crucial, especially considering that one often cannot intervene in the supplier’s systems because they are third-party!
ID.RA-08
The measure lays down the obligation to constantly monitor the communication channels of suppliers of software deemed critical, in order to acquire and respond to information on new vulnerabilities, and thus implements what was laid down in the previous GV.SC-05. It should be made clear that, although point 5 of the measure is only present among the basic security measures of essential subjects, the presence of communication and information flows in contracts is also necessary for important subjects. This is demonstrated by point 1, which states the following:
At least the communication channels of the CSIRT Italy, as well as of any sectoral CERTs and Information Sharing & Analysis Centres (ISAC), are monitored in order to acquire, analyse and respond to vulnerability information. (Measure: ID.RA-08, item 1)
While point 5, provided for essential subjects only, requires the following:
For the purposes of point 1, the channels of suppliers of software deemed critical are also monitored. (Measure: ID.RA-08, point 5)
It follows that, fundamentally, the company must demonstrate that it has at least information monitoring flows from the CSIRT Italia, as well as from sectoral CERTs and ISACs.
Approaches, origins and standards
It is therefore self-evident that the control of supply chain security is not optional for NIS2 actors, on the contrary, it is studded with important and very significant obligations. It is certainly possible to achieve these objectives through other standards and other methodologies (Critical Security Controls were mentioned earlier) that, especially the P.A., should have already implemented. In fact, it should be recalled that AgID Circular 2/2017 on “Minimum ICT Security Measures for the P.A.” provides for technical compatibility rules since it is based on Critical Security Controls (albeit in version 6, June 2016). It should also be borne in mind that all these measures descend from the more extensive National Framework for Cybersecurity and Data Protection (FNCDP), which provides for specific measures, some examples of which are given below.
| Code | Measure |
|---|---|
| GV.RM-05 | Communication channels are established throughout the organisation for cybersecurity risk, including risk from suppliers and other third parties. |
| GV.SC-02 | Cybersecurity roles and responsibilities for suppliers, customers and partners are established, communicated and coordinated internally and externally. |
| GV.SC-05 | Requirements to address cybersecurity risks in the supply chain are established, prioritised and integrated into contracts and other types of agreements with suppliers and other relevant third parties. |
| GV.SC-06 | Planning and due diligence are carried out to reduce risks before entering into formal relationships with suppliers or other third parties. |
| GV.SC-07 | The risks posed by a supplier, its products and services and other third parties are understood, recorded, prioritised, assessed, dealt with and monitored in the course of the relationship. |
There would be many more to analyse, but the purpose of this article is to illustrate to the reader how the standard has very precisely set out the steps to be taken for compliance. The way in which the organisation intends to fulfil these requirements is free, although recommended by the FNCDP itself, it is worth analysing precisely the interaction between one of these measures and the standard underlying Circular 2/2017, Critical Security Controls.
An example of interaction
In the National Cybersecurity and Data Protection Framework the last column contains normative references in which national, European and international standards, circulars, directives and regulations are contained. In the case of measure GV.SC-06, for example, the FNCDP suggests various normative references including safeguard 15.5 of CSC 8, let us see what it means.
| FNCDP | CSC 8 |
|---|---|
| Planning and due diligence are carried out to reduce risks before entering into formal relationships with suppliers or other third parties. [Measure GV.SC-06]. | Assess service providers in accordance with the company’s service provider management policy. The scope of the assessment may vary by classification and may include review of standardised assessment reports, such as Service Organisation Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customised questionnaires or other appropriately rigorous processes. Re-evaluate service providers at least once a year, or at the time of new contracts and renewals. [Safeguard 15.5] |
It is therefore clear that there is consistency between what the CSC 8 standard attests and what is stated in GV.SC-06 of the FNCDP. It is worth pointing out that measure GV.SC-06 can also be met with other standards: ISO 27001 is not listed within the FNCDP’s information references but it is nevertheless able to offer appropriate guarantees because it provides specific clauses for the monitoring and regulation of suppliers’ activities.
Conclusions
As has been attempted to demonstrate, the current legislation provides for a number of important and essential NIS2 obligations related to supply chain management. These obligations start from the design and contractualisation phase and thus well before the actual delivery phase. They are obligations that cover several purposes: a training one, an informative one and certainly a management/operational one. They must be agreed with the supplier who, certainly, can offer tools and methodologies to enrich his offer but must provide for bi-directional flows: from the supplier to the organisation but also from the organisation to the supplier.
