NIST Updates Cybersecurity Guidance for Supply Chain Risk Management

The supply chain is a vulnerable spot in global commerce: it enables technology developers and vendors to create and deliver innovative products but can leave businesses, their finished wares, and ultimately their consumers open to cyberattacks. A new update to the US National Institute of Standards and Technology’s (NIST’s) foundational cybersecurity supply chain risk management (C-SCRM) guidance aims to help organizations protect themselves as they acquire and use technology products and services.

The revised publication, formally titled "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations" (NIST Special Publication 800-161 Revision 1), provides guidance on identifying, assessing, and responding to cybersecurity risks throughout the supply chain at all levels of an organization. It forms part of NIST’s response to US Executive Order 14028: Improving the Nation’s Cybersecurity, specifically Sections 4(c) and (d), which concern enhancing the security of the software supply chain.  

Released after a multiyear development process, the publication offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination. 

Modern products and services depend on their supply chains, which connect a worldwide network of manufacturers, software developers and other service providers. Though they enable the global economy, supply chains also place companies and consumers at risk because of the many sources of components and software that often compose a finished product: A device may have been designed in one country and built in another using multiple components from various parts of the world that have themselves been assembled of parts from disparate manufacturers. Not only might the resulting product contain malicious software or be susceptible to cyberattack, but the vulnerability of the supply chain itself can affect a company’s bottom line.

The primary audience for the revised publication is acquirers and end users of products, software and services. The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it.

Before providing specific guidance — called cybersecurity controls, which are listed in Appendix A — the publication offers help to the varied groups in its intended audience, which ranges from cybersecurity specialists and risk managers to systems engineers and procurement officials. 

In part because of the complexity of the subject, the authors are planning a quick-start guide to help readers who may be just beginning their organization’s C-SCRM effort. They also plan to offer the main publication as a user-friendly webpage. 

The publication is available on the NIST website.