Dive Brief:
- The National Institute of Standards and Technology (NIST) published updated guidance that encourages enterprises to assess supply chain risks throughout the procurement process and to continue monitoring for potential vulnerabilities in source code.
- The 326-page document released last week follows a multiyear development cycle, including two draft versions, written in response to President Joe Biden’s May 2021 cybersecurity executive order. It places additional emphasis on practices NIST deems best suited to identify, assess and respond to cybersecurity supply chain risks in software and cloud-based services.
- NIST’s recommendations underscore the scope of the supply chain risk and complexities that organizations confront in assessing and mitigating potential vulnerabilities.
Dive Insight:
The spotlight on supply chain security came into focus after the SolarWinds hack allowed attackers to gain unfettered access to critical infrastructure for up to 14 months. The incident impacted thousands of organizations globally and it took months to understand the full extent of the compromise, showcasing the need for industrywide guidance.
NIST wove existing standards and practices, such as zero-trust architecture, into its guidance for directives set forth by last year’s executive order. Without introducing new security controls, the agency included criteria for organizations to evaluate the security practices of developers and suppliers of critical software.
The updated guidelines underscore growing concerns with digital supply chain risks. The document captures the complexity of the problem in its breadth and protracted development, Katell Thielemann, research VP at Gartner, wrote in an email.
“Meaningfully deploying an effective digital supply chain risk management program remains a daunting task,” she said, adding that efforts remain largely absent or fragmented.
NIST acknowledges the laborious activities required to manage supply chain risks and the complex challenges enterprises can encounter at any point or link in the lifecycle of a product or service. The guidance aims to help organizations consider where and when those potential vulnerabilities can surface and offers advice on how to identify risks.
“If your organization hasn’t started on cybersecurity supply chain risk management, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately,” Jon Boyens, deputy chief of the computer security division at NIST, said in a prepared statement.
The exhaustive process of matching existing cybersecurity practices and tools with rules established by the almost year-old executive order further stresses the magnitude of software security risks throughout the supply chain.
Much of NIST’s guidance focuses on connecting foundational cybersecurity supply chain management practices to objectives established by the executive order. It also organizes those recommendations based on different layers of cybersecurity and the relevancy for specific groups of professionals charged with that responsibility.
Biden's cyber executive order requires the federal government to improve the security of the supply chain and places a priority on critical software. It encourages the use of separate build environments, audits, multifactor authentication, data encryption, and alert monitoring to automatically monitor for potential vulnerabilities and ensure the integrity of source code.
NIST’s updated guidance also addresses the need for agencies to obtain a software bill of materials, including open source and proprietary code, used to build and operate software. “It has to do with trust and confidence,” Angela Smith, an information security specialist at NIST, said in a statement.