NIST Published Draft Cyber Supply Chain Risk Management Guidance

The Countrywide Institute of Standards and Technology (NIST) has released its latest draft guidance document about cyber supply chain risk management. Its purpose is to help organizations to use an efficient cyber supply risk management system.

Organizations today depend on other organizations to supply vital products and services, however they frequently lose sight of their supply ecosystems. Having third parties to supply products and services may give numerous advantages, however, there are also risks. Threat actors can exploit vulnerabilities in supply chains, in fact, attacks on supply chains are increasing.

In the latter half of 2018, an attack on the Operation ShadowHammer supply chain resulted in the compromise of the software update utility of ASUS. Before the discovery of the cyberattack, around 500,000 users of the ASUS Live Update utility were affected.

The threat group called DragonFly, also known as Energetic Bear, compromised the update website employed by a number of industrial control system (ICS) software makers and put in a backdoor to ICS software program. There were three ICS software makers compromised, causing the malware infection of firms in the field of energy.

Carbon Black published an Incident Threat Report in 2019 and learned that there was an “island hopping” in 50% of attacks. Island hopping is the expression used to refer to cyberattacks on a business, its customers and associates.

The Ponemon Institute conducted the November 2018 Data Risk in the Third-Party Ecosystem study, which showed that 59% of companies were affected by a data breach that happened at a third party supplier. A CrowdStrike report publicized in July 2018 showed that 66% of survey respondents were affected by an attack on the software supply chain.

With increasing supply chain attacks, it is very important that organizations continue to create and put into practice an efficient cyber supply chain risk management plan, however, a lot of organizations have no clue where to begin and those that used this kind of an application do not consider it to be powerful.

NIST has been doing a study on the task of protecting supply chains and has written a number of guidance documents and case studies throughout the last 10 years to assist businesses evaluate and handle supply chain threats. The purpose of the most recent guidance document is to assist institutions to begin with Cyber Supply Chain Risk Management (C-SCRM).

The document consists of a fundamental set of C-SCRM critical practices, which are dependent on industry case studies done in 2015 and 2019, previous NIST research and guidance, and field best practice records. As soon as the fundamental critical practices were followed, more in-depth standards, recommendations, and best practices could then be used to even more strengthen supply chain security.

The latest guidance report – Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (Draft NISTIR 8276) – is available for download here.  NIST welcomes feedback on the draft guidance document up to March 4, 2020.