NIST published updated guidance for supply chain risks

The National Institute of Standards and Technology (NIST) has released updated guidance for defending against supply-chain attacks.

The National Institute of Standards and Technology (NIST) has released updated guidance for defending against supply chain attacks.

NIST has published the “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations” in response to the Executive Order 14028: Improving the Nation’s Cybersecurity.

“The purpose of this publication is to provide guidance to enterprises on how to identify, assess, select, and implement risk management processes and mitigating controls across the enterprise to help manage cybersecurity risks throughout the supply chain.” reads the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.

The guidance details the risks at all levels of the organizations, it provides information about major security controls and practices that organizations should adopt to identify, assess, and respond to these threats.

“Managing the cybersecurity of the supply chain is a need that is here to stay,” wrote NIST’s Jon Boyens, one of the publication’s authors. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

The experts highlighted the importance of the security of supply chain for modern products and services. A devices may have been designed in one country and its components could be manufactured across multiple countries worldwide. This might result in a dramatic enlargement of the surface of attacks for organizations worldwide.

A security incident suffered by one of the companies producing these components could have a significant impact on the overall product and service.

“A manufacturer might experience a supply disruption for critical manufacturing components due to a ransomware attack at one of its suppliers, or a retail chain might experience a data breach because the company that maintains its air conditioning systems has access to the store’s data sharing portal,” Boyens added.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NIST)

[adrotate banner=”5″]

[adrotate banner=”13″]