NIST publishes methods to manage risk in the federal ICT supply chain

Nov 28, 2012

The National Institute of Standards and Technology (NIST) has published the final version of Notional Supply Chain Risk Management Practices for Federal Information Systems. This guide offers an array of supply chain assurance methods to help federal agencies manage the risks associated with purchasing and implementing information and communications technologies (ICT) products and services.

Security risks introduced via the supply chain—both intentional and unintentional—are substantial and on the rise. The global ICT supply chain's growing sophistication and increasing speed and scale leave vulnerable to be exploited through a variety of means, including counterfeit materials, or untrustworthy products.

The guide describes ICT supply chain risk management as a multidisciplinary practice with a number of interconnected enterprise processes that, when performed correctly, will help departments and agencies manage the risk of using ICT products and services. The publication calls for procurement organizations to establish a coordinated to assess the ICT supply chain risk and to manage this risk by using technical and programmatic mitigation techniques.

The new guide is based on information technology security practices and procedures published by NIST, the National Defense University, the National Defense Industrial Association and others. These practices were expanded to include supply chain implications. This version of Notional Supply Chain Risk Management Practices for Federal Information Systems has been through two public review periods, allowing for input from a broad array of stakeholders. The final publication differs from previous drafts in that it provides a more specific definition of the supply chain threat and further details on the roles of integrator and supplier and how they apply to the federal government's acquisition of commercial off-the-shelf products.

NIST is developing a draft Special Publication based on the proceedings of the Oct. 15-16, 2012, Supply Chain Risk Management Workshop and ongoing discussions with industry, academic and government stakeholders. PowerPoint presentations from that workshop are available at www.nist.gov/itl/csd/scrm_2012workshop.cfm . NIST will continue to engage public- and private-sector stakeholders throughout the publication development process.

Notional Risk Management Practices for (NIST IR 7622) is available at http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7622.pdf .

Explore further: New NIST publication provides guidance for computer security risk assessments

add to favorites email to friend print save as pdf

Related Stories

NIST Issues Guidelines for Ensuring RFID Security

Apr 27, 2007

Retailers, manufacturers, hospitals, federal agencies and other organizations planning to use radio frequency identification (RFID) technology to improve their operations should also systematically evaluate the possible security ...

NIST issues draft IPv6 technical profile

Feb 01, 2007

The National Institute of Standards and Technology (NIST) yesterday issued a draft profile that will assist federal agencies in developing plans to acquire and deploy products that implement Internet Protocol version 6 (IPv6). ...

Recommended for you

US spy chief: Plot against Wall Street foiled

20 hours ago

The U.S. foiled a plot to bomb the New York Stock Exchange because of the sweeping surveillance programs at the heart of a debate over national security and personal privacy, officials said Tuesday at a rare ...

Tablets thrust Thai classrooms into digital era

Jun 18, 2013

In a rural classroom in the Thai highlands, hill tribe children energetically slide their fingertips over tablet computer screens practicing everything from English to mathematics and music.

Research examines how technology can break down barriers

Jun 17, 2013

A small, pilot study is examining how mobile technology might support deaf and hard-of-hearing college students when an interpreter can't physically be present at the time the services are requested. The University of Cincinnati ...

Hands-free texting still distracting for drivers (Update)

Jun 12, 2013

Using voice commands to send text messages and emails from behind the wheel, which is marketed as a safer alternative for drivers, actually is more distracting and dangerous than simply talking on a cellphone, ...

User comments : 0

More news stories

Apple TV adds HBO Go, WatchESPN to line up

Apple on Wednesday added HBO GO and WatchESPN to the line-up of programming available on its Apple TV devices that stream shows from the Internet to living room screens.

Tech companies eye security that goes beyond passwords

In late February, a thief or thieves cracked into Evernote's digital vault filled with log-ins, passwords and email addresses belonging to 50 million users. It was a shocking cyberattack considering the Redwood City, Calif., ...

Multiview 3-D photography made simple

Computational photography is the use of clever light-gathering tricks and sophisticated algorithms to extract more information from the visual environment than traditional cameras can.