Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Case Studies in Cyber Supply Chain Risk Management: Summary of Findings and Recommendations



Jon M. Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler, James Gimbi


This document is part of Case Studies in Cyber Supply Chain Risk Management-new research that builds on the CSD C-SCRM program's 2015 publications aimed at identifying how C-SCRM practices have evolved. For this case study series, NIST conducted interviews with 16 subject matter experts across a diverse set of six companies in separate industries, including: digital storage, consumer electronics, renewable energy, consumer foods, healthcare, and enterprise cybersecurity. These interviews informed the production of all documents in this series, including six individual company case studies, a summary of findings and recommendations, and a key practices document. This document summarizes findings and recommendations from the case studies. It describes trends, correlations, and novel findings garnered from an analysis of the interviews as a whole and may cover information not reported in any particular individual case study. This document also contains recommendations for further research, study, and guidance development. The research concludes that C-SCRM is an evolving discipline that requires further attention from the user and research communities. While varied practices exist at mature organizations, less mature organizations are in need of further practical guidance and methods for implementing and evolving C-SCRM programs and practices. Proposed follow-up research opportunities include: quantitative cyber supply chain risk analysis and metrics; requirements to consider adding to supplier terms and conditions; sample supplier tiering structure (especially if an organization has a large number of suppliers) or other methods of applying criticality; and creating additional case studies that showcase successful C-SCRM programs that can be used by aspiring organizations as guidance.
OTHER - CSWP 02042020-1
Report Number
CSWP 02042020-1


case study, cyber supply chain risk management, C-SCRM, information and communications technology supply chain risk management, ICT SCRM, third-party risk management, external dependency risk management


Boyens, J. , Paulsen, C. , Bartol, N. , Winkler, K. and Gimbi, J. (2020), Case Studies in Cyber Supply Chain Risk Management: Summary of Findings and Recommendations, Other, National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed June 22, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created February 4, 2020