Reducing the cybersecurity risk to one of the most vulnerable aspects of commerce — global supply chains — is the goal of a new publication by the National Institute of Standards and Technology (NIST), whose computer security experts have distilled a set of effective risk management techniques into a draft guidebook for businesses. NIST is seeking public comment on the draft for the next 30 days.
Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276) provides a set of strategies to help businesses address the cybersecurity issues posed by modern information and communications technology products, which are commonly built using components and services supplied by third-party organizations. The composed nature of these devices and systems makes them difficult to secure effectively against malware and other threats, placing manufacturers, service providers and end users at risk.
Vulnerabilities in the cyber supply chain — really a complex network of connections rather than a single strand — involve not only microchips and their internal code, but also the support software for a device and the other companies that have access to its components. Put them all together, and it can be a daunting task to anticipate every systemic weakness that an adversary might exploit.
Many recent cyber breaches have been linked to supply chain risks. The NIST report is a high-level document intended to be easily understood and applied in managing these risks. Its core is a 27-page section outlining eight key practices that have proved to be useful, from establishing a formal risk management program to collaborating closely with key suppliers. Each key practice is accompanied by a set of recommendations, and because each organization will have its own specific needs, the authors also include guidance on how to apply these recommendations.
Acknowledging that companies in different economic sectors might manage supply chain risk differently, the authors also offer a set of 24 case studies in risk management that feature a variety of businesses ranging from aerospace and IT manufacturers to consumer goods companies. These case studies, along with a summary of the findings, are available at NIST’s Cyber Supply Chain Risk Management Key Practices page.
The April 2018 update to the NIST Cybersecurity Framework added a new section about supply chain risk management, and the new report cross-references the framework so that organizations can use both sets of NIST guidance together.
Public comments on Draft NISTIR 8276 can be submitted until March 4, 2020, to firstname.lastname@example.org , and NIST will consider them before releasing a final version, planned for Spring 2020.