To complement the release of recommendations for business and industry to secure their supply chains with Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276) , the National Institute for Standards and Technology issued the NIST Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, pre-draft call for comments.
“Federal agencies are increasingly concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain,” NIST wrote in a release.
These risks are due to federal agencies decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services, thus making the supply chain an opaque mixture of complex and varied components and suppliers.
The publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.
NIST said since SP 800-161 was published in 2015, many things have changed in the laws, regulations, tools, technologies, and best practices encompassing the information and communication technology supply chain risk management ecosystem.
To capture the new findings, NIST has initiated an update of SP 800-161 to incorporate: lessons learned over the past several years; updates to relevant NIST guidance (e.g., NIST SP 800-37 Rev.2, Draft NIST SP 800-53 Rev. 5, and Cybersecurity Framework v1.1); and the priorities of the Administration.
NIST seeks the input of SP 800-161 stakeholders to ensure Revision 1 will continue to deliver a single set of cyber supply chain risk management practices to help federal departments and agencies manage the risks associated with the acquisition and use of IT/OT products and services in a way that is functional and usable.
Specifically, NIST requests input on the following: additions, changes, or removals of ICT SCRM guidance, tiers, controls or control enhancements along with a rationale for the addition, change or removal of the ICT SCRM guidance, tiers, controls or enhancements.
To learn more about what NIST is specifically seeking, see the SP 800-161 Rev. 1 PRE-DRAFT Call for Comments. Please submit your comments no later than Feb. 28, 2020. Please email comments to firstname.lastname@example.org.