Proposed risk management guidelines aim to bolster security of federal ICTsupply chains

Jun 04, 2014
Proposed risk management guidelines aim to bolster security of federal ICTsupply chains
Products from across the world add risk to information communications supply chains. Credit: freshidea-Fotolia_com

The National Institute of Standards and Technology (NIST) has published a second public draft of Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations for public comment. The new version incorporates changes made in response to comments on the original draft issued Aug. 16, 2013.

Between the growing sophistication and complexity of modern information and communication technology (ICT) and the lengthy and geographically diverse ICT supply chains, important are at risk of being compromised by counterfeits, tampering, theft, malicious software and poor manufacturing practices. A counterfeit chip could cause a computer system to break down; malware could lead to loss of critical information.

The NIST guide to securing ICT supply chains details a set of processes for evaluating and managing that risk. "It builds on NIST's Managing Information Security Risk publication," explains lead author Jon Boyens.

NIST recommends that evaluating ICT supply chains should be part of an organization's overall risk management activities and should involve identifying and assessing applicable risks, determining appropriate mitigating actions, and developing a plan to document mitigating actions and monitoring performance. The plan should be adapted to fit each organization's mission, threats and operating environment, as well as its existing ICT supply chains.

The draft publication also calls for building ICT risk management activities on existing supply chain and cybersecurity practices, employing an organization-wide approach, and focusing on the systems and components that are most vulnerable and can cause the largest impact if compromised.

The guidance is designed for use with high-impact systems as categorized in NIST's Standards for Security Categorization of Federal Information and Information Systems and can be used on moderate systems, if deemed appropriate, Boyens says.

This second public draft is based on an extensive review and comments contributed by the ICT community. NIST is asking for feedback on some of the key changes that appear in this draft, including:

  • Increased emphasis on balancing the risks and costs of ICT supply chain risk management processes and controls throughout the publication,
  • An ICT supply chain controls summary table that provides a baseline and maps to NIST Special Publication 800-53 Revision 4 High baseline controls in Appendix D, and
  • An annotated ICT Supply Chain Risk Management Plan Template in Appendix H.

Explore further: NIST seeks comments on major revision to industrial control systems security guide

More information: Supply Chain Risk Management Practices for Federal Information Systems and Organizations, Second Public Draft (NIST SP 800-161) can be downloaded from csrc.nist.gov/scrm/publications.html. The public comment period ends July 18, 2-14. Comments may be submitted by email to scrm-nist@nist.gov using the template on the web page.

add to favorites email to friend print save as pdf

Related Stories

Recommended for you

Man pleads guilty in New York cybercrime case

14 hours ago

A California man has pleaded guilty in New York City for his role marketing malware that federal authorities say infected more than a half-million computers worldwide.

How to keep the world's eyes out of your webcam

Nov 21, 2014

There are concerns that thousands of private webcams around the world could be streaming live images to anybody who wishes to view them – without their owner knowing – thanks to a Russian website provi ...

Britain urges Russia to shut down webcam spying site

Nov 20, 2014

A Russian website offering thousands of live feeds peering into bedrooms and offices around the world by accessing poorly secured webcams should be taken down immediately, British officials said on Thursday.

NSA Director: China can damage US power grid

Nov 20, 2014

China and "one or two" other countries are capable of mounting cyberattacks to shut down the electric grid in parts of the United States. That's according to Admiral Michael Rogers, the director of the National Security Agency ...

Some in NSA warned of a backlash

Nov 20, 2014

Current and former intelligence officials say dissenters within the National Security Agency warned in 2009 that secretly collecting American phone records wasn't providing enough intelligence to justify ...

Russia hacking site spying webcams worldwide: Britain

Nov 20, 2014

Britain's privacy watchdog on Thursday called on Russia to take down a site showing hacked live feeds from thousands of homes and businesses around the world and warned it was planning "regulatory action".

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.