NIST is updating the cybersecurity guidelines for supply chain risk management

A vulnerability in global trade is the supply chain: it allows technology developers and suppliers to create and deliver innovative products, but can leave businesses, their finished goods and ultimately their consumers open to cyberattacks. A new update of the National Institute of Standards and Technology (NIST) ‘s Cybersecurity Supply Chain Risk Management Guidelines (NIST) aims to help organizations protect themselves while acquiring and using technology products and services.

The revised publication with an official title Risk management practices in the cybersecurity supply chain for systems and organizations (NIST Special Publication 800-161 Revision 1), provides guidelines for identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of the organization. This is part of NIST’s response to Executive Order 14028: Improving the nation’s cybersecurity, in particular sections 4 (c) and (d), which deal with enhancing the security of the software supply chain.

Released today after many years of development, which includes two draft versions, the publication now offers key practices for organizations to adopt as they develop their ability to manage cybersecurity risks within and within their supply chains. It encourages organizations to consider the vulnerabilities not only of the finished product they are considering using, but also of its components – which may have been developed elsewhere – and the journey these components have taken to reach their destination.

“Supply chain cybersecurity management is a necessity that remains here,” said John Boyens of NIST, one of the authors of the publication. “If your agency or organization hasn’t started this, it’s a comprehensive tool that can take you from crawling to walking and running and can help you do it right away.”

Modern products and services depend on their supply chains, which connect a worldwide network of manufacturers, software developers and other service providers. Although enabling the global economy, supply chains also put companies and consumers at risk due to the many sources of components and software that often make up a finished product: a device can be designed in one country and built into another using many components from different parts of the world that are self-assembled from parts from different manufacturers. Not only can the resulting product contain malware or be susceptible to cyberattacks, but the vulnerability of the supply chain itself can affect the company’s end result.

“A manufacturer may experience a disruption to critical production components due to a ransom software attack against one of its suppliers, or a retail chain may experience a data breach because the company that maintains its air conditioning systems has access to the sharing portal. store data, “said Boyens.

The main audience for the revised publication are buyers and end users of products, software and services. The guide helps organizations build risk considerations and requirements in the cybersecurity supply chain in their acquisition processes and emphasizes the importance of risk monitoring. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, management is already looking at potential vulnerabilities such as the source of code in a product, for example, or the retailers that carry it.

“It’s about trust and confidence,” said Angela Smith of NIST, an information security specialist and co-author of the publication. “Organizations need to be more confident that what they buy and use is reliable. This new guide can help you understand what risks to look for and what actions to consider in response. “

Before providing specific guidance – called cybersecurity controls, which are listed in Annex A – the publication offers assistance to different groups of the target audience, which ranges from cybersecurity professionals and risk managers to systems engineers and public procurement officers. Each group is offered a “user profile” in section 1.4, which advises which parts of the publication are most appropriate for the group.

Sections 1.6 and 1.7 of the publication specify how it integrates the guidelines promoted in other NIST publications and adapts these guidelines to C-SCRM. These other publications include the NIST cybersecurity framework and risk management framework, as well as Security and privacy controls for information systems and organizations, or SP 800-53 Rev. 5, its leading catalog of security measures of the information system. Organizations that already use the precautions of SP 800-53 Rev. 5, can find a useful view in Appendix B, which details how the cybersecurity controls of SP 800-161 Rev. 5. 1 are compared with them.

Organizations wishing to implement C-SCRM in accordance with Executive Order 14028 should visit the dedicated NIST web-based portal, as now listed in Appendix F. This information has been moved online, in part to reflect changing trends, without prejudice to the directly published version of SP 800-161 Rev. 1.

Partly because of the complexity of the topic, the authors are planning a short guide to help readers who may be just beginning their organization’s C-SCRM efforts. Boyens said they also plan to offer the main publication as a user-friendly web page.

“We plan to supplement the current PDF format of the document with a clickable web version,” he said. “Depending on what group of users you belong to, this will allow you to click on a link and find the sections you need.”

The publication is available on the NIST website.