10 Practices to Secure the Supply ChainNIST Drafting New Guidance to Mitigate Supply Chain Risk
Guidance that identifies 10 overarching practices to mitigate supply chain risks is being developed by the National Institute of Standards and Technology.
See Also: A CISO’s Guide to Defender Alignment
Supply chain risks can occur when organizations purchase and implement information and communications technology products and services. "Supply chain risk is significant and growing," says Jon Boyens, a NIST senior advisor for information security who's co-authoring the new guidance, NIST Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems.
This is the second draft of IR 7622. In the latest version, NIST computer scientists pared to 10 from the 21 prescriptive practices to blunt supply chain risks described in the initial draft. They are:
- Uniquely identify supply chain elements, processes and actors;
- Limit access and exposure within the supply chain;
- Create and maintain the provenance of elements, processes, tools and data;
- Share information within strict limits;
- Perform supply chain risk management awareness and training;
- Use defensive design for systems, elements and processes;
- Perform continuous integrator review;
- Strengthen delivery mechanisms;
- Assure sustainment activities and processes; and
- Manage disposal and final disposition activities throughout the system or element life cycle.
Supply chain risk management, as described in the guidance, is a multidisciplinary practice with a number of interconnected enterprise processes that, when performed correctly, will help departments and agencies manage the risk of using information and communication technology products and services. The publication calls for procurement organizations to establish a coordinated team approach to assess the supply chain risk and to manage this risk by using technical and programmatic mitigation techniques.
Improving the supply chain is part of the federal government's Comprehensive National Cybersecurity Initiative, which states that managing risk requires a greater awareness of the threats, vulnerabilities and consequences associated with acquisition decisions.
"The growing sophistication of technology and increasing speed and scale of a complex, distributed global supply chain leave government agencies without a comprehensive way of managing or understanding the processes from design to disposal, and that increases the risk of exploitation through a variety of means including counterfeit materials, malicious software or untrustworthy products," according to a NIST statement that accompanied the latest draft.
NIST is basing IR 7622 on security practices and procedures it published along with those from the National Defense University and the National Defense Industrial Association. NIST is expanding the guidance to meet specific demands of the supply chain.
Before issuing the final guidance later this year, the authors of IR 7622 seek comments on the document, including prioritizing the supply chain risk management components. To help understand how the proposed process works, the authors want reviewers to consider how the practices could be applied to recent and upcoming procurement activities and provide comments on the practicality, feasibility, cost, challenges and successes. Comments should be sent to firstname.lastname@example.org by May 25.