Cybersecurity Awareness Month: SCS 9001 Helps Organizations Take on New Cyber Rules and Regulations

With Cybersecurity Awareness Month now underway, we want to pause to acknowledge the new era that has quickly come upon us in which governments and regulators around the world are growing more prescriptive in their cyber security requirements for organizations, especially when it comes to critical network infrastructure. In order to counter rising threats from sophisticated cybercriminals, we are seeing unprecedented actions emerge ranging from new requirements for public funding eligibility to fines for not properly reporting breaches. Navigating this new environment is especially challenging for small and medium-sized organizations to move forward confidently with an always-evolving cybersecurity landscape.

Having an industry standard to help align with regulatory goals and NIST standards, best practices, plans and procedures for all organizations is critical for accelerating global, industry-wide progress.

SCS 9001 was created as the world’s first cyber and supply chain security standard developed specifically for the information and communications technology (ICT) industry. And while its initial focus was on the supply chain, it can be used to build a general cyber strategy for organizations looking to benchmark performance against industry average, best and worst in class, and align with various government and industry regulations and recommendations.

The objective of SCS 9001 is to verify end-to-end cyber and physical security across ICT network infrastructure. To accomplish this, SCS 9001 was created as a process-based standard with an optional independent audit and certification program for suppliers and service providers looking to verify that critical security controls and processes are in place for their products and solutions.

The new standard is unique because it helps organizations align with the outcomes of critical industry guidelines and best practices, such as ISO 27001, the Prague Proposals, NCSC Cyber Essentials, The UK Telecom Security Act of 2021, relevant NIST standards and the CSIS Criteria for Security and Trust. (Learn more in our Technical Bulletins)

SCS 9001 can also help organizations align with cyber requirements for public funding programs. For example, NTIA launched its Broadband Equity Access Deployment (BEAD) program designed to close the digital divide across the U.S. and its territories. The program—borne out of the Infrastructure Investment and Jobs Act—has created a once-in-a-lifetime opportunity to connect all the underserved communities across our country.

But along with the opportunity to expand our nation’s network infrastructure, comes new security requirements. Eligibility for funding includes Cybersecurity and Supply Chain Risk Management (SCRM) requirements which means new rules for  state funding applicants, and new plan requirements for the service providers and their suppliers.

According to NTIA’s Notice of Funding Opportunity: “The Infrastructure Act directs the Assistant Secretary to specify prudent cybersecurity and supply chain risk management practices for subgrantees deploying or upgrading broadband networks using BEAD funds.” There are four baseline requirements that can be found in the following documents: for supply chain risk management – NISTR 8276 and NIST 800-161; and for cybersecurity – NIST Framework for Improving Critical Infrastructure Cybersecurity and U.S. Executive Order 14028.

In May, the White House announced EO 14028—Executive Order on Improving the Nation’s Cybersecurity—which set out steps for a new national cyber posture, addressing everything from removing barriers for information sharing to standardizing the way federal agencies respond to breach vulnerabilities and incidents.

The comprehensive Executive Order sets out an immense challenge, but by utilizing SCS 9001, organizations can map directly to each of the requirements and goals of EO 14028, with the standard acting as a guide through the layers of directives.

This is all to say that SCS 9001 is more than just a security standard. It can be used to guide strategies around cybersecurity, strengthening trust throughout supply chains and as a valuable tool for any organizations or agencies committed to securing critical network infrastructure.

Click here to learn more about SCS 9001.

Click here for free tips and other cyber resources from CISA as part of Cybersecurity Awareness Month.