The National Institute of Standards and Technology (NIST) has released an updated draft of guidelines for evaluating risk in the supply chain.
The organization issued the second public draft of the ‘Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations’ for public comment earlier this week. The latest version includes changes made in response to comments made on the first draft last August.
According to NIST, the growing sophistication and complexity of modern information and communication technology – as well as geographically dispersed supply chains – has put important federal information systems at risk of being compromised through tampering, theft or counterfeiting.
“It builds on NIST’s Managing Information Security Risk publication,” lead author Jon Boyens said in a statement.
“NIST recommends that evaluating ICT supply chains should be part of an organization’s overall risk management activities and should involve identifying and assessing applicable risks, determining appropriate mitigating actions, and developing a plan to document mitigating actions and monitoring performance,” according to the institute’s announcement. “The plan should be adapted to fit each organization’s mission, threats and operating environment, as well as its existing ICT supply chains.”
The draft also calls for building supply chain risk management activities on existing supply chain cybersecurity practices using an organization-wide approach and focusing on systems that are most vulnerable and could have the biggest effect if compromised, according to NIST.
NIST wants feedback on some of the key changes that appear in this draft, such as:
- Increased emphasis on balancing the risks and costs of ICT supply chain risk management processes and controls throughout the publication,
- An ICT supply chain risk management controls summary table that provides a baseline and maps to NIST Special Publication 800-53 Revision 4 High baseline controls in Appendix D, and
- An annotated ICT Supply Chain Risk Management Plan Template in Appendix H.
The period for public comment ends July 18. Comments can be sent by email to scrm-nist@nist.gov using the template on the web page.
Recently, Microsoft released a paper outlining its approach to providing risk-based protection for Microsoft’s software during development and distribution, as well as the company’s approach to assessing risks in the supply chain and where to apply security controls. That paper can be found here.