The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for supply chain risk management to help organizations protect themselves in acquiring and using technology products and services.
Specifically, the new update provides key practices for organizations to adopt as they develop their capabilities to manage cyber risks within and across supply chains. The update also encourages organizations to consider vulnerabilities “not only of a finished product they are considering using, but also of its components – which may have been developed elsewhere – and the journey those components took to reach their destination.”
NIST explained that a device may have been designed in one country and built in an entirely different one, using multiple components from different parts of the world that have been assembled by various manufacturers. According to NIST, this could lead to a product containing malicious software, be susceptible to cyberattacks, and affect a company’s bottom line.
“A manufacturer might experience a supply disruption for critical manufacturing components due to a ransomware attack at one of its suppliers, or a retail chain might experience a data breach because the company that maintains its air conditioning systems has access to the store’s data sharing portal,” said NIST’s Jon Boyens, one of the publication’s authors.
The new guidance is called the Cybersecurity Supply Chain Risk Management Practices for System and Organizations (NIST Special Publication 800-161 Revision 1), and it provides agencies guidance to identify, assess, and respond to cyber risks throughout the supply chain at all organizational levels.