The National Institute of Standards and Technology (NIST) will consolidate existing supply chain guidance before identifying gaps on which new standards are based, according to a computing security chief at the agency.
The institute is under pressure to issue separate guidance on protecting critical software and testing source code within 60 days and broad standards on supply chain security within 90 days, as the U.S. government races to respond to recent supply chain attacks like the SolarWinds hack.
Testifying to lawmakers before the House Science Committee on Tuesday, computer security division leader of NIST’s Information Technology Laboratory, Matthew Sholl, said the agency was “on track” to deliver new supply chain security standards.
Sholl said also that the agency would deliver the recommendations within the condensed timeframe afforded by President Biden’s recent cybersecurity executive order.
“The initial deliverables might be short. But we also plan on staying persistent on these issues over a much longer period of time,” he said.
In addition to establishing secure software requirements and security measures for using a testing software, NIST is working on two pilot labeling programs that will help agencies understand the security properties of software they might use.
Lawmakers have expressed concern that NIST may not have the necessary resources to meet the tight deadlines. Its cyber and privacy portfolio received funding of only $78 million in last year’s budget.
“I do worry we are increasingly asking NIST experts to do exponentially more work, more quickly, without necessarily the adequate resources,” said Rep. Haley Stevens, D-Mich., who chairs the Research and Technology Subcommittee that oversees the institute.
Sholl made no mention of resource constraints in his testimony.
The Government Accountability Office continues to investigate the SolarWinds hack, and will compile a public report on the incident, which is due to be released later this year.
In a December report on supply chain risk management, GAO found that none of the 23 Chief Financial Officers Act agencies had implemented all the recommended best practices, and 14 had not even started to address the implementation of best practices.
NIST first released its Cyber Supply Chain Risk Management guidance in 2015, followed by its Secure Software Development Framework. And the Office of Management and Budget began directing agencies to address supply chain issues in 2016.