The National Institute of Standards and Technology on Thursday published updated guidance meant to help agencies and organizations protect against cyberthreats in the supply chain, a major focus of the Biden administration’s cybersecurity executive order last year.
The revised publication on cybersecurity supply chain risk management gives acquirers and users of software and other technologies key practices, processes and controls to consider as they look to protect against such threats that can emerge from that tangled web of global suppliers and manufacturers from which companies develop technology products.
“Managing the cybersecurity of the supply chain is a need that is here to stay,” NIST’s Jon Boyens, one of the publication’s authors, said in a statement. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”
President Biden’s May 2021 cybersecurity executive order required NIST to issue updated guidance within a year in response to the increase in cyber risks and incidents occurring throughout the software and IT supply chain.
NIST’s new publication “encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination,” the agency said in a release.
For instance, with the notorious late 2020 breach involving SolarWinds’ Orion product, Russian hackers embedded malicious code at the source of the SolarWinds software and then moved upstream to gain potential access to 18,000 customers’ networks, including those of numerous federal agencies.
“It has to do with trust and confidence,” said NIST’s Angela Smith, an information security specialist and another author of the guidance. “Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response.”
Building off of previous guidance on supply chain risk management, the new publication has enhanced its view of supply chain risks to include source code and retailers that carry it, acknowledging in a release that “cybersecurity risks can arise at any point in the life cycle or any link in the supply chain.”
In March, the Office of Management and Budget issued a directive requiring agencies to comply with NIST’s earlier guidance on software supply chain security and its Secure Software Development Framework.