NIST Shares Cyber Supply Chain Risk Management Guidance

February 05, 2020 - NIST unveiled its latest draft guidance around cyber supply chain management, designed to help organizations develop an effective risk management program. Industry stakeholders are being asked to provide feedback by March 4.

The proposed Key Practices in Cyber Supply Chain Risk Management: Observations from Industry is based on an analysis of interviews held between 2015 and 2019, which NIST then developed into 24 case studies. The draft guidance contains six new case studies.

The guide also contains prior NIST research into cyber supply chain risk management, as well as industry standards and best practice documents. It’s aimed at those subject matter experts tasked with leading their organization’s risk management program.

Supply chain risk is prominent in healthcare, given its reliance on a host of third-party vendors and other business associates. Adding to the heightened risk are various threat actors that target healthcare and tech organizations’ supply chain vendors, including the hacking group behind the ransomware known as Zeppelin.

In April 2019, Carbon Black reported that 50 percent of cyberattacks target supply chain seeking lateral movement across connected partners, while Microsoft researchers noted a steep increase in supply chain attacks in March 2019.

“In today’s highly connected world, all organizations rely on other organizations for critical products and services,” NIST researchers wrote. “However, today’s world of globalization, while providing many benefits, has resulted in a world where organizations no longer fully control—and often do not have full visibility into—the supply ecosystems of the products that they make or the services that they deliver.”

“Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful,” they continued. “Threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link.”

NIST is seeking comment on several areas with hopes stakeholders will provide input on the key practices and recommendations contained in the guide, as they are designed to apply to organizations of all sizes across all sectors.

The guide is meant to be used to develop a cyber supply chain risk management program, combining industry and government resources with the information gathered through NIST research.

Organizations should be able to leverage the guide to implement an effective, formalized program, while helping organizations know and manage critical suppliers and understand the supply chain function.

Further, the guidance can help leaders understand how to closely collaborate with key suppliers, while including them within enterprise resilience and improvement activities. There are also best practice insights into assessing and monitoring the supplier relationship and planning for the full lifecycle.

“Each key practice includes a number of recommendations, which synthesize how these practices can be implemented from a people, process, and technology perspective,” researchers wrote. “These and several other recommendations are mapped to each of the key practices to help the readers implement effective C-SCRM practices in their organizations.”

Those recommendations center around creating explicit collaborative roles, structures, and process for supply chain, cybersecurity, product security, and physical security (and other relevant) functions, integrating cybersecurity considerations into the system and product lifecycle, determining supplier criticality with standards and best practices, and other crucial supplier relationship insights.

Industry stakeholders can provide feedback until March 4. The supply chain guidance joins other NIST guides currently in progress, including the latest insights around ransomware and other data integrity attacks.

Healthcare providers should look to the proposed guidance for insights into supply chain management, as well as healthcare-specific guidance on the topic released by the Healthcare and Public Health Sector Coordinating Council in October.