All
Suppliers
Products
CAD Models
Diverse Suppliers
Insights
By Category, Company or Brand
All Regions
Alabama
Alaska
Alberta
Arizona
Arkansas
British Columbia
California - Northern
California - Southern
Colorado
Connecticut
Delaware
District of Columbia
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
Iowa
Kansas
Kentucky
Louisiana
Maine
Manitoba
Maryland
Massachusetts - Eastern
Massachusetts - Western
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Brunswick
New Hampshire
New Jersey - Northern
New Jersey - Southern
New Mexico
New York - Metro
New York - Upstate
Newfoundland & Labrador
North Carolina
North Dakota
Northwest Territories
Nova Scotia
Nunavut
Ohio - Northern
Ohio - Southern
Oklahoma
Ontario
Oregon
Pennsylvania - Eastern
Pennsylvania - Western
Prince Edward Island
Puerto Rico
Quebec
Rhode Island
Saskatchewan
South Carolina
South Dakota
Tennessee
Texas - North
Texas - South
Utah
Vermont
Virgin Islands
Virginia
Washington
West Virginia
Wisconsin
Wyoming
Yukon

New NIST Framework Focuses on Supply Chain Security

Staff Writer
1/27/2019 | 5 min read
Subscribe
New NIST Framework Focuses on Supply Chain Security

The National Institute of Standards and Technology (NIST) publishes industry-led frameworks for best practices and processes to reduce cyber risks. The most recent update, though, aims to provide an “additional description of how to manage supply chain cybersecurity.”

Here’s what you need to know about 2018’s Version 1.1.

About NIST Cybersecurity Frameworks

NIST, a non-regulatory agency of the U.S. Department of Commerce, has been promoting innovation and industrial competitiveness for over a century. Decades ago, it began developing guidance for managing industrial and defense supply chain risk. In 2015, it released comprehensive guidance on supply chain risk management. Then, earlier this year, the agency added supply chain subcategories to its NIST Cybersecurity Framework.

 “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEOs.” — Secretary of Commerce Wilbur Ross

While many associate the NIST framework with the energy, banking, communications, and defense sectors, the methodologies and procedures laid out can also provide insights into best practices for “large and small companies and organizations across all sectors.” This is especially useful now that the framework includes updates on managing cybersecurity within the supply chain.

Some attribute the new focus on supply chain risk management to the U.S. government’s recent banning of foreign suppliers such as Kaspersky Lab (due to alleged ties to the Kremlin) or Huawei and ZTE (due to ties to the Chinese government). But Jon Boyens, a manager at NIST Security Engineering and Risk Management Group, suggests that this is an oversimplified view of global manufacturing practices, saying “You can’t do foreign versus not-foreign because in today’s world, it doesn’t matter.”

Enhancing Supply Chain Security

Nevertheless, it makes sense to do whatever is possible to better secure supply chains. The updated Framework guidance discusses how to perform self-assessments, provides details on supply chain risk management methods, and offers input on how to interact with supply chain stakeholders.

Version 1.1 calls on organizations to:

  • Identify, establish, and assess cyber supply chain risk management processes and gain stakeholder agreement
  • Identify, prioritize, and assess suppliers and third-party supplier partners
  • Develop contracts with suppliers and third-party partners to address your organization’s supply chain risk management goals
  • Routinely assess suppliers and third-party partners using audits, test results, and other forms of evaluation
  • Complete testing to ensure suppliers and third-party providers are able to respond to and recover from service disruption

The new framework also encourages organizations to address untrustworthy partnerships in the supply chain, which may be seen through:

  • Poor manufacturing
  • Counterfeits
  • Tampering
  • Malicious code

And, via an update to a U.S. Office of Management and Budget document governing the management of information resources, and to a national security systems directive, NIST has also taken steps to require relevant government agencies to have a viable supply chain risk management plan in place.

The Importance of Supply Chain Security

As globalization and technology continue to disrupt the supply chain sphere, there’s an increasing price to pay for loss of control over products and services — in other words, where they are made and who is making them. For this reason, supply chain security must continue to evolve in order to meet society’s shifting needs.

Matt Barrett, NIST program manager for the Cybersecurity Framework, stated that the latest NIST Framework will continue to “evolve as threats, technologies, and industries evolve.”

 

Image credit: metamorworks / Shutterstock.com

Next Up in Supply Chain
Thermo Fisher Creates Metrology Solution to Improve Battery Safety
Show More in Supply Chain