TRENDING:

NIST Drafting Supply Chain Guidance

Insights on Risk Management Techniques Eric Chabrow (GovInfoSecurity) • August 22, 2013    
NIST Drafting Supply Chain Guidance

The National Institute of Standards and Technology is developing risk management guidance on the information and communications technology supply chain. The draft guidance recommends organizations take an incremental approach to ensure that they first reach a base maturity level in organizational practices.

See Also: Now OnDemand | Understanding 3rd Party App Risk to Google Workspace Data

NIST is seeking comments from stakeholders on its draft of Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations. It will publish a final version later once it reviews comments received.

Although NIST creates its guidance for federal government agencies, organizations in many sectors often follow the advice.

Chinese Threat Concerns

The so-called ICT supply chain received a lot of attention last October when the House Permanent Select Committee on Intelligence issued an investigative report recommending that sensitive U.S. government systems should refrain from using equipment and component parts manufactured by the two Chinese companies, Huawei and ZTE, the world's largest and fifth-largest telecom equipment makers, respectively. Concerns were raised that the Chinese government would order the two manufacturers to alter their wares so they could collect information from U.S. IT systems, accusations both companies denied [see House Panel: 2 Chinese Firms Pose IT Security Risks].

This isn't the first guidance from NIST on the supply chain. Last fall, NIST issued Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems, which lists 10 supply chain risk management practices that can be applied simultaneously to an information system or the elements of an IT system [see 10 Supply Chain Risk Management Best Practices].

The ICT supply chain is a system of networks that includes organizations, people, processes, products and services and the infrastructure supporting the system development life cycle. That includes research and development, design, manufacturing, acquisition, delivery, integration, operations and disposal/retirement of an organization's ICT products, such as hardware, software and services.

Rapidly Expanding Federal Systems

The federal government information systems have been rapidly expanding in terms of capability and number, with an increased reliance on supply chains to outsource services and acquire commercial products. Those supply chains have become more complex and diverse.

"These trends have caused federal agencies to have a lack of visibility and understanding throughout the supply chain of how the technology being acquired is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience and quality of the products and services," the draft guidance says. "This lack of visibility and understanding, in turn, has decreased the control federal departments and agencies have with regard to the decisions impacting the inherited risks traversing the supply chain and the ability to effectively manage those risks."

The draft publication offers proposed guidance on identifying, assessing and mitigating supply chain risks at all levels of organizations. NIST SP 800-161 calls for integrating supply chain risk management into federal agency enterprise risk management activities by applying a multi-tiered supply chain risk management approach. That includes supply chain risk assessments and risk mitigation activities and guidance.

Stakeholders interested in submit comments on the draft should send them by Oct. 15 to scrm-nist@nist.gov with the subject line: Comments NIST SP 800-61.

Previous
Security to Protect the Business
Next
Role of Trust in Incident Response

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.