Cyber supply chain security practices DNA – Filling in the puzzle using a diverse set of disciplines

This paper describes the journey of the evolving cyber supply chain community towards creating practical and useful standards and best practices. It is based on the author׳s experience working on the topic since 2006 and contains observations and lessons learned, refined over the years. Cyber supply chain security requires members of several different professional communities to come together including information security, system and software engineering, supply chain and logistics, and process improvement, to name a few. These professional communities have not worked or interacted before and had divergent experiences, vocabularies, frameworks, standards, ways of demonstrating that the practices were performed, and many other things. Over the years these people have learned that many practices that they thought were missing already existed in another discipline and that reinventing them was not necessary. The paper will summarize this journey with the goal of helping those new to this subject matter learn from those who have been working on it for some time.The paper also describes the current landscape of cyber supply chain standards, including the ones that provide foundational practices that may not be strictly cyber supply chain, those that are truly cyber supply chain, and processes and techniques that can be used in support of cyber supply chain security. The readers of this paper will learn what these emerging efforts have to offer and what is needed to successfully implement the practices that these efforts propose.