Within NIS2, one of the things to consider in achieving compliance is supply chain security. Part of supply chain security is vendor security validation. Managing what your vendor promises, says and delivers is a tedious task. We can help you set up your vendor validation program to ensure the necessary steps are covered:
- Estalbish cybersecurity requirements that match your desired NIS2 level. Such a list of requirements can be based on NIS2 requirements, but other frameworks can also be used. A popular one in OT is IEC62443-2-4 (cybersecurity requirements for suppliers), sometimes in combination with IEC62443-3-3 (system security requirements and security levels).
- Verify supplier responses to these cybersecurity requirements and challenge your suppliers on non-conformances. This is often a “paper-based” exercise and requires interaction between you and the supplier’s (technical) people to complete it fully and thoroughly. This is the only way to reach a mutually acceptable agreement.
- Perform technical verifications of the solutions or systems provided by performing a Cyber FAT/SAT approach. These must follow a standardized approach so that they are repeatable and the tests cover all your cybersecurity requirements. Read more about vendor validation or the practical side of FAT/SAT testing in the following blog posts:
- Align your results with your cybersecurity requirements to identify any issues that need to be addressed before the solution or system is deployed.
- In addition to performing FAT/SAT testing, it is important to determine your residual risk after remediable issues have been addressed. The residual risk of the solution or systems will describe the remaining technical risks, but it is also important to identify the associated business risk. For each of these risks, the mitigating actions taken should be listed.