NIST's Updated Cybersecurity Guidance for Supply Chain Risk Management
In every industry, cybersecurity issues are a growing concern—and this is certainly true for supply chain stakeholders. In a November article, we cited what one expert wrote in a Security Magazine post, “If one facility, port, software or database is interrupted due to an attack, countless companies and consumers can be impacted, resulting in great financial loss and compromised data.”
This reflects the challenges associated with a complex and fragmented supply chain in which third- and fourth-party suppliers and beyond can add to the level of risk.
The growing threat atmosphere is captured in the introduction to Executive Order (EO) 14028: Improving the Nation’s Cybersecurity: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people's security and privacy. …”
Within the EO, one of the agencies required to address cybersecurity challenges is the National Institute of Standards and Technology (NIST), which summarized its role in “Improving the Nation's Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order.”
“The President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021, charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
“Section 4 directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines, which are ultimately aimed at federal agencies but which also are available for industry and others to use, include:
criteria to evaluate software security,
criteria to evaluate the security practices of the developers and suppliers, and
innovative tools or methods to demonstrate conformance with secure practices.
“NIST is to consult with other agencies in producing some of its guidance; in turn, several of those agencies are directed to take steps to ensure that federal procurement of software follows that guidance.”
As part of its response, NIST recently released its updated publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations guidance in NIST SP 800-161r1.
Here, we’ll provide a snapshot of NIST, its role in cybersecurity, and what the new guidance means for supply chain stakeholders.
What is NIST?
Founded in 1901 and now part of the U.S. Department of Commerce, NIST describes itself as “one of the nation's oldest physical science laboratories. …From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials and computer chips, innumerable products and services rely in some way on technology, measurement and standards provided by the National Institute of Standards and Technology.”
This NIST video illustrates the organization’s role and how it collaborates across disciplines and around the world.
NIST C-SCRM Program
The NIST Cybersecurity Supply Chain Risk Management (C-SCRM) program “helps organizations to manage the increasing risk of supply chain compromise related to cybersecurity, whether intentional or unintentional.”
“The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits also increase the risk of a compromise to the supply chain, which may result in risks to the end user,” NIST says. “Managing cybersecurity risks in supply chains requires ensuring the integrity, security, quality and resilience of the supply chain and its products and services. Risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cybersecurity-related elements of the supply chain.”
“C-SCRM involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains,” according to NIST. “It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). NIST conducts research, provides resources, and convenes stakeholders to assist organizations in managing these risks.”
NIST’s Updated C-SCRM Guidance
One of those resources is the updated Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations guidance in NIST SP 800-161r1, which was announced on May 5th.
According to the announcement, “A new update to the National Institute of Standards and Technology’s (NIST’s) foundational cybersecurity supply chain risk management (C-SCRM) guidance aims to help organizations protect themselves as they acquire and use technology products and services.”
The revised publication, “provides guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of an organization,” the statement said.
Additionally, it now offers “key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination.”
Quoted in the announcement, NIST’s Jon Boyens, one of the publication’s authors, said, “Managing the cybersecurity of the supply chain is a need that is here to stay. If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”
The need for C-SCRM was described like this: “Modern products and services depend on their supply chains, which connect a worldwide network of manufacturers, software developers and other service providers. Though they enable the global economy, supply chains also place companies and consumers at risk because of the many sources of components and software that often compose a finished product: A device may have been designed in one country and built in another using multiple components from various parts of the world that have themselves been assembled of parts from disparate manufacturers. Not only might the resulting product contain malicious software or be susceptible to cyberattack, but the vulnerability of the supply chain itself can affect a company’s bottom line.”
“It has to do with trust and confidence,” said NIST’s Angela Smith, an information security specialist and another of the publication’s authors. “Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response.”
The announcement also provided an overview of the in-depth publication:
“Before providing specific guidance — called cybersecurity controls, which are listed in Appendix A — the publication offers help to the varied groups in its intended audience, which ranges from cybersecurity specialists and risk managers to systems engineers and procurement officials. Each group is offered a ‘user profile’ in Section 1.4, which advises what parts of the publication are most relevant to the group.”
“The publication’s Sections 1.6 and 1.7 specify how it integrates guidance promoted within other NIST publications and tailors that guidance for C-SCRM. These other publications include NIST’s Cybersecurity Framework and Risk Management Framework, as well as Security and Privacy Controls for Information Systems and Organizations, or SP 800-53 Rev. 5, its flagship catalog of information system safeguards. Organizations that are already using SP 800-53 Rev. 5’s safeguards may find useful perspective in Appendix B, which details how SP 800-161 Rev. 1’s cybersecurity controls map onto them.”
“Organizations seeking to implement C-SCRM in accordance with Executive Order 14028 should visit NIST's dedicated web-based portal, as Appendix F now indicates. This information has been moved online, in part to reflect evolving guidance without directly affecting the published version of SP 800-161 Rev. 1.”
“In part because of the complexity of the subject, the authors are planning a quick-start guide to help readers who may be just beginning their organization’s C-SCRM effort.”
Boyens said they also plan to offer the main publication as a user-friendly webpage.
“We plan to augment the document’s current PDF format with a clickable web version,” he said. “Depending on what group of users you fall into, it will allow you to click on a link and find the sections you need.”
The PDF version of the updated guidance can be found here: NIST SP 800-161r1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations