New NIST report advises: Securing critical computer systems begins at the beginning

Aug 04, 2010

Nothing beats the feeling of starting up a new computer - be it a laptop, desktop or a major, custom-designed computing system. A new system is a blank slate with no worry of botnets, viruses or any other cybersecurity hazards.

Not so, explains computer researcher Marianne Swanson at the National Institute of Standards and Technology (NIST), lead author of a draft report, Piloting Supply Chain Risk Management for Federal Information Systems. Information systems and components are under attack throughout the supply chain from the design phase—including specification and acquisition of custom products—through disposal. "Computer systems are under attack before installation by adversaries enabled by growing technological sophistication and facilitated by the rapid globalization of our information system infrastructure, suppliers and adversaries," Swanson says.

NIST has released a public draft of the new report for comment.

The supply chain report is geared to information systems that are categorized as "high-impact level," systems for which the loss of confidentiality, integrity or availability could be expected to have a "severe or catastrophic adverse effect on organizational operations, organizational assets or individuals."* The report provides an array of practices designed to help mitigate supply chain risk throughout the life cycle, not just on accepting systems and products "as they are" and managing risks after delivery. The practices are based on procedures found in NIST special publications, and those from the National Defense University and the National Defense Industry Association, and these are expanded to include implementations specific to mitigating supply chain risk.

Typical examples of good practices recommended in the report include integrating information security and supply chain requirements from inception of the project, protecting the supply chain environment, hardening the supply chain delivering mechanisms and configuring the product to limit access and exposure.

Other recommendations:

  • Ensure your information system security, acquisition personnel, legal counsel, and other appropriate advisors and stakeholders are participating in decision making from system concept definition through review and are involved or approving each milestone decision.
  • Ensure the proper funding is allocated for information system security and supply chain
  • Follow consistent, well-documented processes for system engineering and acquisition
  • Provide oversight of suppliers
  • Audit the development process
  • Perform quality assurance and control of security features
  • Assign roles and responsibilities and follow them
  • Fully implement the tailored set of baseline security controls in NIST Special Publication 800-53** appropriate to the system's impact level.
The supply chain security report is intended for information system owners, acquisition staff, information security personnel and systems engineers.

Explore further: Computerized emotion detector

More information: * Categorizing system impact level is described in a NIST document, Standards for Security Categorization of Federal Information and Information Systems (Federal Information Processing Standards Publication 199), available on-line at csrc.nist.gov/publications/fip… PS-PUB-199-final.pdf
** Recommended Security Controls for Federal Information Systems and Organizations (Rev. 3), available on-line at csrc.nist.gov/publications/nis… rrata_05-01-2010.pdf

add to favorites email to friend print save as pdf

Related Stories

NIST Issues Guidelines for Ensuring RFID Security

Apr 27, 2007

Retailers, manufacturers, hospitals, federal agencies and other organizations planning to use radio frequency identification (RFID) technology to improve their operations should also systematically evaluate the possible security ...

Wake-up call: Draft security pub looks at cell phones, PDAs

Jul 10, 2008

In recent years cell phones and PDAs—"Personal Digital Assistants"—have exploded in power, performance and features. They now often boast expanded memory, cameras, Global Positioning System receivers and the ability to ...

NIST Advises on RFID Security Risks

May 01, 2007

The National Institute of Standards and Technology describes some potential dangers of implementing RFID and offers guidelines and best practices for mitigating the risks.

Reducing Expenses, Increasing Profits

Sep 11, 2006

A University of Arkansas researcher studied 123 manufacturing firms -- high-tech and non-high-tech -- and found that implementation of information-technology-based supply-chain management systems has an overall positive impact ...

Recommended for you

Computerized emotion detector

20 hours ago

Face recognition software measures various parameters in a mug shot, such as the distance between the person's eyes, the height from lip to top of their nose and various other metrics and then compares it with photos of people ...

Cutting the cloud computing carbon cost

Sep 12, 2014

Cloud computing involves displacing data storage and processing from the user's computer on to remote servers. It can provide users with more storage space and computing power that they can then access from anywhere in the ...

Teaching computers the nuances of human conversation

Sep 12, 2014

Computer scientists have successfully developed programs to recognize spoken language, as in automated phone systems that respond to voice prompts and voice-activated assistants like Apple's Siri.

Mapping the connections between diverse sets of data

Sep 12, 2014

What is a map? Most often, it's a visual tool used to demonstrate the relationship between multiple places in geographic space. They're useful because you can look at one and very quickly pick up on the general ...

User comments : 0