Supply chain, Governance, Risk and Compliance

NIST will ping industry early next year on new supply chain security guidance

NIST will canvass industry early next year as it looks to update its Cybersecurity Framework to better account for supply chain threats, particularly for smaller businesses.  (Photo by Ethan Miller/Getty Images)

The National Institute for Standards and Technology will look to update its Cybersecurity Framework to account for potential security weaknesses in the supply chain and align it with other NIST guidance.

At a public meeting this week Kevin Stine, NIST’s chief of the Applied Cybersecurity Division, said the agency would put out a request for information early next year to canvass industry on how to shape the update.

One of the main “pillars” of the query will focus on incorporating new guidance to help organizations address security challenges within their internal supply chains. While the agency has been studying the topic years, interest and the desire from industry for clear guidance on how to manage that risk has shot up the past few years as nation state and criminal hackers increasingly take advantage of compromises at major software or cloud providers to infect their downstream customers.

“I think, you know, almost every conversation we participate in today…it all comes back to different dimensions of the supply chain,” said Stine Wednesday at a meeting of the Information Security and Privacy Advisory Board.

The updates will also feed into NIST’s supply chain risk management program as well as an initiative launched by the Department of Commerce following President Biden’s cybersecurity summit in August to assess ways to build and assess secure technologies, evaluate open source software, develop international standards and provide advice that is specifically tailored to the supply chain challenges of small businesses.

The Cybersecurity Framework is one of NIST’s flagship publications, a voluntary set of cybersecurity guidelines that are widely adopted across different industries in the United States and around the world. It was last updated in 2018 and while previous revisions do touch on supply chain issues, Stine said the agency wants “to get feedback on whether we went far enough, is there more we can do and are there other resources that would provide value to the community?”

In addition to new supply chain guidance, the RFI will also likely address ways to make the framework more consistent with other NIST documents, like the Privacy Framework, Risk Management Framework, Secure Software Development Framework and others.

“We’re very conscious of the types and the volume of resources that we issue and we want to make sure that the things that we produce actually do provide value and are aligned and harmonize as much as possible with the other resources that we produce,” Stine said.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds