After hearing about the recent NIST (National Institute of Standards and Technology) Interagency Report (7622) on 10 Practices to Secure the Supply Chain, it got me wondering as to who should set the standards. Supply Chains are global, so it shouldn’t be a single government agency, even if it’s a standards agency. While supply chains run on technology — it’s only one of the three corners of the supply chain triangle, with the other two being talent and transition (management).
But, of course, supply chain standards are probably not high on the WTO (World Trade Organization) agenda — as the primary purpose is to supervise and liberalize international trade — keeping the flow smooth. Trade agreements take priority over standards. Someone has to bite the bullet and take the challenge. But we need more than high-level practice definitions. These are the 10 perspective practices that the NIST recommends:
- Uniquely identify supply chain elements, processes and actors
- Limit access and exposure within the supply chain
- Create and maintain the provenance of elements, processes, tools and data
- Share information within strict limits
- Perform supply chain risk management awareness and training
- Use defensive design for systems, elements and processes
- Perform continuous integrator review
- Strengthen delivery mechanisms
- Assure sustainment activities and processes
- Manage disposal and final disposition activities throughout the system or element life cycle
Taken one by one:
- obvious, no help here
- also obvious, no help here either
- you should be doing that already to conform to the plethora of trade and security regulations you’re already subject to
- given the lack of openness in most supply chains between trading partners, this is probably already happening
- this is good advice — it’s common knowledge, but when it comes to training, no one is listening
- here’s where it gets good — I don’t think defensive design is part of supply chain design today and it’s a great approach to keep things in perspective
- that’s just good risk management
- that’s just part of continuous supply chain improvement
- this is good advice too — while the sustainability message should also be common knowledge, there’s not enough action on this front either
- this is great advice — everyone focusses on the acquisition, but often neglects that, at some point, everything created has to be destroyed; everything acquired has to be disposed of
In summary, I give it a 4 out of 10. So, what would be good recommendations? We’ll take that up in a later post. But for now, do you have any?