The National Institute of Standards and Technology (NIST) publishes industry-led frameworks for best practices and processes to reduce cyber risks. The most recent update, though, aims to provide an “additional description of how to manage supply chain cybersecurity.”
Here’s what you need to know about 2018’s Version 1.1.
About NIST Cybersecurity Frameworks
NIST, a non-regulatory agency of the U.S. Department of Commerce, has been promoting innovation and industrial competitiveness for over a century. Decades ago, it began developing guidance for managing industrial and defense supply chain risk. In 2015, it released comprehensive guidance on supply chain risk management. Then, earlier this year, the agency added supply chain subcategories to its NIST Cybersecurity Framework.
“The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEOs.” — Secretary of Commerce Wilbur Ross
While many associate the NIST framework with the energy, banking, communications, and defense sectors, the methodologies and procedures laid out can also provide insights into best practices for “large and small companies and organizations across all sectors.” This is especially useful now that the framework includes updates on managing cybersecurity within the supply chain.
Some attribute the new focus on supply chain risk management to the U.S. government’s recent banning of foreign suppliers such as Kaspersky Lab (due to alleged ties to the Kremlin) or Huawei and ZTE (due to ties to the Chinese government). But Jon Boyens, a manager at NIST Security Engineering and Risk Management Group, suggests that this is an oversimplified view of global manufacturing practices, saying “You can’t do foreign versus not-foreign because in today’s world, it doesn’t matter.”
Enhancing Supply Chain Security
Nevertheless, it makes sense to do whatever is possible to better secure supply chains. The updated Framework guidance discusses how to perform self-assessments, provides details on supply chain risk management methods, and offers input on how to interact with supply chain stakeholders.
Version 1.1 calls on organizations to:
- Identify, establish, and assess cyber supply chain risk management processes and gain stakeholder agreement
- Identify, prioritize, and assess suppliers and third-party supplier partners
- Develop contracts with suppliers and third-party partners to address your organization’s supply chain risk management goals
- Routinely assess suppliers and third-party partners using audits, test results, and other forms of evaluation
- Complete testing to ensure suppliers and third-party providers are able to respond to and recover from service disruption
The new framework also encourages organizations to address untrustworthy partnerships in the supply chain, which may be seen through:
- Poor manufacturing
- Malicious code
And, via an update to a U.S. Office of Management and Budget document governing the management of information resources, and to a national security systems directive, NIST has also taken steps to require relevant government agencies to have a viable supply chain risk management plan in place.
The Importance of Supply Chain Security
As globalization and technology continue to disrupt the supply chain sphere, there’s an increasing price to pay for loss of control over products and services — in other words, where they are made and who is making them. For this reason, supply chain security must continue to evolve in order to meet society’s shifting needs.
Matt Barrett, NIST program manager for the Cybersecurity Framework, stated that the latest NIST Framework will continue to “evolve as threats, technologies, and industries evolve.”
Image credit: metamorworks / Shutterstock.com