Technology products are commonly built using components and services supplied by third-party manufacturers and suppliers, making them difficult to secure effectively against malware and other threats. NIST
With a goal to reduce the cybersecurity risk to one of the most vulnerable aspects of commerce—global supply chains—the National Institute of Standards and Technology (NIST) has published a draft guidebook for businesses that presents a set of effective risk management techniques distilled by NIST’s computer security experts.
“Key Practices in Cyber Supply Chain Risk Management” provides a set of strategies to help businesses address the cybersecurity issues posed by modern information and communications technology products, which are commonly built using components and services supplied by third-party organizations. The composed nature of these devices and systems makes them difficult to secure effectively against malware and other threats, placing manufacturers, service providers, and end users at risk.
“The seed of the problem is that everything is interconnected nowadays,” said NIST’s Jon Boyens, one of the draft report’s authors. “Products are very sophisticated, and with our globalized economy, companies often outsource the tasks of developing components and code to other companies, involving multiple tiers of suppliers.”
Vulnerabilities in the cyber supply chain involve not only microchips and their internal code, but also the support software for a device and the other companies that have access to its components. Put them all together, and it can be a daunting task to anticipate every systemic weakness that an adversary might exploit.
The NIST report is a high-level document intended to be easily understood and applied in managing these risks. Its core is a 27-page section outlining eight key practices that have proved to be useful, from establishing a formal risk management program to collaborating closely with key suppliers. Each key practice is accompanied by a set of recommendations, and because each organization will have its own specific needs, the authors also include guidance on how to apply these recommendations.
Acknowledging that companies in different economic sectors might manage supply chain risk differently, the authors also offer a set of 24 case studies in risk management that feature a variety of businesses from aerospace and IT manufacturers to consumer goods companies.
Following public comments, NIST will release a final version in spring 2020.
Recent Comments