NIST Updates Guidance for Supply Chain Risk ManagementAgency Helps Identify, Assess, Respond to Risk Across Supply Chain
The U.S. National Institute of Standards and Technology, on the back of U.S. President Joe Biden's executive orders regarding cybersecurity, on Thursday revised its guidance for countering supply chain risks.
The revised publication, titled "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations," provides guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of an organization. It is part of NIST's response to Executive Order 14028: Improving the Nation’s Cybersecurity - specifically, Sections 4(c) and (d), which focus on enhancing the security of the software supply chain.
The revised document is the result of several years of development, which entailed two draft versions.
'A Comprehensive Tool'
The latest document offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components that may have been developed elsewhere and the journey those components took to reach their destination.
"Managing the cybersecurity of the supply chain is a need that is here to stay," says Jon Boyens, deputy chief of the computer security division at NIST, and one of the authors of the latest publication. “If your agency or organization hasn't started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately."
Product manufacturers are dependent on supply chains, which are networks of suppliers, original equipment manufacturers or OEMs, contractors and service providers. These entities are typically located in different parts of the world - effectively forming a global supply chain. If even one of these entities experiences a data breach or a malware attack, it poses a risk to other entities in the supply chain and could affect output.
"A manufacturer might experience a supply disruption for critical manufacturing components due to a ransomware attack at one of its suppliers, or a retail chain might experience a data breach because the company that maintains its air conditioning systems has access to the store's data sharing portal," Boyens says.
The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it.
"It has to do with trust and confidence," says NIST's Angela Smith, an information security specialist and another of the publication's authors. "Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response."
The revised guidance encourages the use of external service providers and refers to the Federal Risk and Authorization Program cloud services security guidelines.
Section 1.3 says: "The external system service providers discussed in this publication include cloud service providers. This publication does not replace the guidance provided with respect to federal agency assessments of cloud service providers' security. When applying this publication to cloud service providers, federal agencies should first use FedRAMP cloud services security guidelines and then apply this document for those processes and controls that are not addressed by FedRAMP."
But FedRAMP has its own challenges. And Executive Order 14028 requires agencies to ask prospective suppliers for a software bill of materials, or SBOM. This is a detailed list of software modules, components and code libraries or dependencies referred to by vendors' products and linkages to other products in the supply chain.
ENISA: APTs Are Responsible
In July 2021, the European Union Cybersecurity Agency anticipated that supply chain attacks could increase fourfold in the remainder of 2021. ENISA researchers observed that more than 50% of supply chain attacks emanated from established APT groups, which were developing alarmingly sophisticated methodologies to approach and overwhelm attack targets. These groups included APT29, APT 41, Thallium, Lazarus, TA413 and TA428. In 62% of the attacks ENISA analyzed, cyberattackers exploited supplier trust to get to critical access points. And 66% of the analyzed attacks focused on the suppliers' code.
An ENISA-sponsored study, titled "Threat Landscape for Supply Chain Attacks," showed that older frameworks used to defend against supply chain attacks no longer provide adequate security. The implication is that organizations need to find new means of securing against supply chain threats.