NIST Publishes Updated Cybersecurity Supply Chain Risk Management Guidance
On Thursday, the National Institute of Standards and Technology (NIST) published updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program for identifying, assessing, and responding to cybersecurity risks throughout the supply chain.
Cyber threat actors are increasingly targeting the supply chain. A successful attack on a single supplier can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. The threat actors exploited a vulnerability in Kaseya VSA software and the attack affected up to 1,500 businesses.
The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multiyear process that included the release of two draft versions of the guidance. The updated guidance can be used to identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels of an organization.
While organizations should consider vulnerabilities in the finished product they are considering using, the guidance also encourages them to consider the security of components of the project, which may include open source code or components developed by third parties. A product or device may have been designed in one country, manufactured in another, and incorporate components from many other countries, which in turn may have been assembled from parts provided by disparate manufacturers. Malicious code may have been incorporated into components, and vulnerabilities may have been introduced that could be exploited by cyber threat actors. The guidance encourages organizations to consider the journey that each of the components took to reach their destination.
The guidance is aimed at acquirers and end users of products, software, and services. Since the guidance is intended to be used by a wide audience, user profiles are included that explain which sections of the guidance are most relevant for each group. “The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services,” explained NIST.
The guidance can be used to build cybersecurity supply chain risk considerations and requirements into acquisition processes and create a program for continuously monitoring and managing supply chain risks.
“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens, one of the authors of the publication. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”