NIST Official: Revised Cybersecurity Supply-Chain Guidance Imminent

The National Institute of Standards and Technology is about to publish guidance for securing enterprises against supply chain hacks following the SolarWinds event and other major third-party attacks targeting critical infrastructure. 

“The flagship cybersecurity supply chain risk management guidance is [Special Publication 800-161],” NIST’s Angela Smith said. “We're going to actually be releasing the first major revision—revision one—by the end of next week, so everybody should be on the lookout for that if you've not already had a chance to review some of the public drafts that have come out.”

Smith spoke at an event the Atlantic Council hosted Tuesday on efforts to protect the supply chains of information and communications technology. 

The NIST update is coming as the Biden administration tries leveraging the government’s procurement power to nudge contractors like IT management firm SolarWinds and other software suppliers to improve the security of their environments. And as Congress and the Cybersecurity and Infrastructure Security Agency think about broadening private-sector partnerships and addressing risks to critical infrastructure with a more systemic approach, providers of underlying information and communications technology are weighing in. 

Smith said, in addition to the coming revision, future guidance on managing cybersecurity risks that emerge through the supply chain will focus more on activities for providers along that chain to address. Current literature on the issue has focussed more on the responsibilities of the organizations integrating those supply-chain elements into their environments. 

“I will say that [SP 800-161] is written from kind of the perspective of what you need to do to implement a program and from the perspective of an acquirer organization,” she said. “We are anticipating that as we move forward, you know, there'll be additional guidance that begins to focus more on the supply chain side of the house, similar to what occurred out of Executive Order 14028 with software supply chain. You're starting to see some of that, [and] we've included some of that in our guidance that's about to be released on on that topic.”

NIST also just stopped receiving feedback for potential changes to its 2014 Cyber Security Framework—a collection of suggested standards for the implementation of security controls, based on varying levels of risk organizations are willing to accept—as policymakers attempt to harmonize regulatory regimes for securing critical infrastructure across all sectors. 

“The CSF should not itself be expanded to address non-cyber risks,” USTelecom, the trade association for major internet service providers, wrote to NIST. “Businesses face an array of financial, reputational, workforce, pandemic-related and other risks. The CSF should not be expanded to address other risks, but rather should serve as a model for a voluntary, flexible framework.”

President Obama ordered NIST to create the CSF and ordered federal agencies to use it, while recommending the private sector do the same. NIST—and industry components favoring the current voluntary approach to private-sector implementation of security controls—tout broad use of the framework for improved risk management. But some crucial suppliers appear unclear on what that means, drawing attention to the subjective nature of the framework’s utility.

“NIST should share what it means for an agency to ‘use’ the framework and agencies should provide to NIST—and NIST should make available—the cybersecurity risk documents created and used by agencies to comply with this requirement,” BSA | The Software Alliance wrote in comments to the agency. “Seeing how U.S. Government agencies use the NIST Cybersecurity Framework would be incredibly valuable for organizations currently using, or considering using, the framework.”