Skip to main content

NIST Revises Supply Chain Security Guidance

by Chris Brook on Friday May 13, 2022

Contact Us
Free Demo

The primary audience for the revised publication is acquirers and end users of products, software and services.

Ever since SolarWinds, the U.S. government has doubled down its efforts around supply chain risk management, looking to ensure organizations better protect themselves as they acquire and use new technology products and services.

Recently revised guidance, released by the National Institute of Standards and Technology last Thursday, is designed to help organizations before they buy and implement software and configure it into their environment.

The guidance - formally titled Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations - also helps satisfy NIST's response to the White House's cybersecurity Executive Order from last May, Improving the Nation’s Cybersecurity. Sections 4(c) and (d) asked NIST to publish guidelines on enhancing software supply chain security and provide instructions for ensuring those steps can be reviewed periodically.

Supply chain attacks usually involves targeting a lesser known, often less secure portion of the software supply chain; poor code, third-party providers, vendors or partners with lax security, etc.

“Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it,” NIST said to that note on Thursday.

NIST's work follows up preliminary guidelines issued by the institute last November and criteria released in February around IoT cybersecurity and secure software development. That followed up consultations with the National Security Agency (NSA), Office of Management and Budget (OMB), Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI).

Mitigating supply chain risk is no easy task but NIST’s exhaustive 315 document digs into how to integrate C-SCRM into enterprise-wide risk management programs, how to evaluate success, implement and maintain security controls.

The document closes with some sample scenarios and the best steps to take – mitigation strategies - in the event they occur.

Some of those scenarios could read like some of the latest infosec news headlines: Unintentional compromise, vulnerable reused components within system, and industrial espionage.

Some of these risks - insiders that steal sensitive intellectual property, nation states inserting malicious code into components sold to government agencies - could pose a grave concern to a business if carried out successfully by an attacker.

As NIST points out, as critical as these risks are, it could take years for them to be exploited or discovered. Even when they are, it's hard to finger whether a vulnerability is a stand alone issue or interconnected, something that could expose organizations to a cascading series of risks.

To address these risks, NIST outlines different levels - operational, mission/business processes, and enterprise - and strategies, policies, and plans for each one. It also gives a chart that breaks down stakeholders involved in each level and what C-SCRM activities they should carry out.

The guidance is designed to help organizations regardless of where they are in their C-SCRM journey. NIST is planning on pointing those just starting out to a quick start guide it’s in the middle of creating, while those who are looking to implement C-SCRM best practices to satisfy the cybersecurity Executive Order can visit a special portal to learn more about how to do that.

While the guidance makes a lot of points and can be a great primer for organizations, it's important to note that it's not a one-size-fits-all document. Even NIST points that out: “The guidance throughout this publication should be adopted and tailored to the unique size, resources, and risk circumstances of each enterprise. Enterprises adopting this guidance may vary in how they implement C-SCRM practices internally."

A good example of where things may differ is when it comes to cloud service providers. At one point, NIST acknowledges that federal agencies shouldn't look to the guidance as a directive when it comes to cloud service providers. Instead, agencies should use the guidelines prescribed by the General Services Administration’s office of Federal Risk and Authorization Management Program, or FedRAMP – and apply the C-SCRM document to anything FedRAMP doesn’t cover.

Ultimately, the document is designed to help organizations foster trust. That hardware and software components are valid and use verified components, that third-party service providers and contractors can be vouched for, and so on.

“It has to do with trust and confidence,” NIST’s Angela Smith, an information security specialist and one of the publication’s authors said last week. “Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response.”

Tags:  Cybersecurity

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.