The National Institute of Standards and Technology (NIST) has updated its guidance document for helping organizations identify, assess and respond to cybersecurity risks throughout the supply chain.
“[Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM)] encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination,” NIST explains.
The document’s revision is part of NIST’s effort to help organizations put into practice mandates from Executive Order 14028, for improving United States’ cybersecurity posture.
About the revised guidance
“The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it,” NIST notes.
The revised publication is primarily aimed at acquirers and end users of products, software and services, and offers advice for different audiences: leaders and personnel dealing with enterprise risk management, acquisition and procurement, infosec/cybersecurity/privacy, system development/engineering/implementation, and so on.
Specific guidance (i.e., cybersecurity controls) is shared in the Appendix A.
Appendix C delineates a few threat scenarios, complete with information about threat source, possible outcomes, impact, risk exposure, potential mitigating strategues and C-SCRM controls, etc. The included example scenarios cover the following incidents:
- Dynamic geopolitical conditions that impact the supply of production components for PCs
- Counterfeit telecommunications element introduced into supply chain
- Nation-state with significant resources looking to steal IP
- Malicious code insertion by a integrator
- Unintentional compromise through an internal employee
- A cyber criminal organization exploiting vulnerable software components
A NIST Cyber SCRM fact sheet has also been provided, and a quick-start guide is in the works.
Addressing cybersecurity threats to the supply chain
“Managing the cybersecurity of the supply chain is a need that is here to stay. If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately,” noted NIST’s Jon Boyens, one of the publication’s authors.
“Following NIST should almost be like following ISO 27001 at this point,” says Jim Barkdoll, CEO, Axiomatics.
“This should be a badge of honor; a differentiator that says ‘I have been inspected for these policies and processes.’ It should signal that the company and its board of directors care about security and have taken meaningful steps to improve. As these revisions continue to occur, instead of companies having to put all kinds of clauses in contracts with sections specific to security, you should simply ask to abide by NIST standards. That’s where I’d like to see this go.”