NIST Drafting Supply Chain GuidanceInsights on Risk Management Techniques
The National Institute of Standards and Technology is developing risk management guidance on the information and communications technology supply chain. The draft guidance recommends organizations take an incremental approach to ensure that they first reach a base maturity level in organizational practices.
NIST is seeking comments from stakeholders on its draft of Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations. It will publish a final version later once it reviews comments received.
Although NIST creates its guidance for federal government agencies, organizations in many sectors often follow the advice.
Chinese Threat Concerns
The so-called ICT supply chain received a lot of attention last October when the House Permanent Select Committee on Intelligence issued an investigative report recommending that sensitive U.S. government systems should refrain from using equipment and component parts manufactured by the two Chinese companies, Huawei and ZTE, the world's largest and fifth-largest telecom equipment makers, respectively. Concerns were raised that the Chinese government would order the two manufacturers to alter their wares so they could collect information from U.S. IT systems, accusations both companies denied [see House Panel: 2 Chinese Firms Pose IT Security Risks].
This isn't the first guidance from NIST on the supply chain. Last fall, NIST issued Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems, which lists 10 supply chain risk management practices that can be applied simultaneously to an information system or the elements of an IT system [see 10 Supply Chain Risk Management Best Practices].
The ICT supply chain is a system of networks that includes organizations, people, processes, products and services and the infrastructure supporting the system development life cycle. That includes research and development, design, manufacturing, acquisition, delivery, integration, operations and disposal/retirement of an organization's ICT products, such as hardware, software and services.
Rapidly Expanding Federal Systems
The federal government information systems have been rapidly expanding in terms of capability and number, with an increased reliance on supply chains to outsource services and acquire commercial products. Those supply chains have become more complex and diverse.
"These trends have caused federal agencies to have a lack of visibility and understanding throughout the supply chain of how the technology being acquired is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience and quality of the products and services," the draft guidance says. "This lack of visibility and understanding, in turn, has decreased the control federal departments and agencies have with regard to the decisions impacting the inherited risks traversing the supply chain and the ability to effectively manage those risks."
The draft publication offers proposed guidance on identifying, assessing and mitigating supply chain risks at all levels of organizations. NIST SP 800-161 calls for integrating supply chain risk management into federal agency enterprise risk management activities by applying a multi-tiered supply chain risk management approach. That includes supply chain risk assessments and risk mitigation activities and guidance.
Stakeholders interested in submit comments on the draft should send them by Oct. 15 to firstname.lastname@example.org with the subject line: Comments NIST SP 800-61.