NIST Releases Updated Cybersecurity Supply Chain Risk Management Guidance


Share this article on:

On Thursday, the National Institute of Standards and Technology (NIST) released updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program to identify, assess and respond to cybersecurity risks throughout the supply chain.

Cybercriminals are increasingly targeting the supply chain. A successful attack on a single vendor can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. Threat actors exploited a vulnerability in the Kaseya VSA software. and the attack affected up to 1,500 businesses.

The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multi-year process that included the publication of two drafts of the guidance. The updated guidance can be used to identify, assess and respond to cybersecurity risks throughout the supply chain at all levels of an organization.

While organizations should consider vulnerabilities in the finished product they plan to use, the guidelines also encourage them to consider the security of project components, which may include open source code or components developed by third parties. . A product or device may have been designed in one country, manufactured in another, and incorporate components from many other countries, which in turn may have been assembled from parts supplied by disparate manufacturers. Malicious code may have been embedded into components and vulnerabilities may have been introduced that could be exploited by cyber threats. The guidance encourages organizations to consider the path taken by each of the components to reach their destination.

The guidance is intended for purchasers and end users of products, software and services. As the guide is intended for use by a wide audience, user profiles are included which explain which sections of the guide are most relevant to each group. “The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multi-tiered approach specific to C-SCRM, including guidance on developing risk management plans. implementation of the C-SCRM Strategy, C-SCRM Policies, C-SCRM Plans, and Risk Assessments for Products and Services,” NIST explained.

The guidance can be used to integrate cybersecurity supply chain risk considerations and requirements into procurement processes and create a program for ongoing monitoring and management of supply chain risks.

“Supply chain cybersecurity management is a need that is here to stay,” said Jon Boyens of NIST, one of the publication’s authors. “If your agency or organization hasn’t started doing this, this is a comprehensive tool that can take you from crawling to walking to running, and it can help you do that right away. .”


About Author

Comments are closed.