The National Institute of Standards and Technology (NIST) has released an updated draft of guidelines for evaluating risk in the supply chain.
The organization issued the second public draft of the ‘Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations’ for public comment earlier this week. The latest version includes changes made in response to comments made on the first draft last August.
According to NIST, the growing sophistication and complexity of modern information and communication technology – as well as geographically dispersed supply chains – has put important federal information systems at risk of being compromised through tampering, theft or counterfeiting.
“It builds on NIST’s Managing Information Security Risk publication,” lead author Jon Boyens said in a statement.
“NIST recommends that evaluating ICT supply chains should be part of an organization’s overall risk management activities and should involve identifying and assessing applicable risks, determining appropriate mitigating actions, and developing a plan to document mitigating actions and monitoring performance,” according to the institute’s announcement. “The plan should be adapted to fit each organization’s mission, threats and operating environment, as well as its existing ICT supply chains.”
The draft also calls for building supply chain risk management activities on existing supply chain cybersecurity practices using an organization-wide approach and focusing on systems that are most vulnerable and could have the biggest effect if compromised, according to NIST.
NIST wants feedback on some of the key changes that appear in this draft, such as:
- Increased emphasis on balancing the risks and costs of ICT supply chain risk management processes and controls throughout the publication,
- An ICT supply chain risk management controls summary table that provides a baseline and maps to NIST Special Publication 800-53 Revision 4 High baseline controls in Appendix D, and
- An annotated ICT Supply Chain Risk Management Plan Template in Appendix H.
The period for public comment ends July 18. Comments can be sent by email to [email protected] using the template on the web page.
Recently, Microsoft released a paper outlining its approach to providing risk-based protection for Microsoft’s software during development and distribution, as well as the company’s approach to assessing risks in the supply chain and where to apply security controls. That paper can be found here.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
