Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

NIST Publishes Second Draft of Federal IT Supply Chain Risk Management Guidelines

The National Institute of Standards and Technology (NIST) has released an updated draft of guidelines for evaluating risk in the supply chain.

The organization issued the second public draft of the ‘Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations’ for public comment earlier this week. The latest version includes changes made in response to comments made on the first draft last August.

The National Institute of Standards and Technology (NIST) has released an updated draft of guidelines for evaluating risk in the supply chain.

The organization issued the second public draft of the ‘Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations’ for public comment earlier this week. The latest version includes changes made in response to comments made on the first draft last August.

According to NIST, the growing sophistication and complexity of modern information and communication technology – as well as geographically dispersed supply chains – has put important federal information systems at risk of being compromised through tampering, theft or counterfeiting.

“It builds on NIST’s Managing Information Security Risk publication,” lead author Jon Boyens said in a statement.

“NIST recommends that evaluating ICT supply chains should be part of an organization’s overall risk management activities and should involve identifying and assessing applicable risks, determining appropriate mitigating actions, and developing a plan to document mitigating actions and monitoring performance,” according to the institute’s announcement. “The plan should be adapted to fit each organization’s mission, threats and operating environment, as well as its existing ICT supply chains.”

The draft also calls for building supply chain risk management activities on existing supply chain cybersecurity practices using an organization-wide approach and focusing on systems that are most vulnerable and could have the biggest effect if compromised, according to NIST.

NIST wants feedback on some of the key changes that appear in this draft, such as:

  • Increased emphasis on balancing the risks and costs of ICT supply chain risk management processes and controls throughout the publication,
  • An ICT supply chain risk management controls summary table that provides a baseline and maps to NIST Special Publication 800-53 Revision 4 High baseline controls in Appendix D, and
  • An annotated ICT Supply Chain Risk Management Plan Template in Appendix H.

The period for public comment ends July 18. Comments can be sent by email to [email protected] using the template on the web page.

Recently, Microsoft released a paper outlining its approach to providing risk-based protection for Microsoft’s software during development and distribution, as well as the company’s approach to assessing risks in the supply chain and where to apply security controls. That paper can be found here.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.