Supply chain security expands in unclassified community

Working group seeks feedback on best practices for supply chain risk management

A working group from civilian agencies is expanding a part of the Comprehensive National Cybersecurity Initiative on supply chain risk management to the unclassified community through a set of proposed best practices.

The working group, which includes members from the Homeland Security and State departments and the National Institute of Standards and Technology, is building on work that DHS and the Defense Department have already done for CNCI. The initiative had been primarily classified, but much of its plans have been made public this year.

“The group generated a lot of good information and concepts that we felt would be of value to the unclassified community,” said Matt Scholl, manager of the Security Management and Assurance Group at NIST’s Computer Security Division.


Related stories:

Software supply chain security is target of industry group best practices

Trust but verify: Security risks abound in the IT supply chain


NIST recently released a draft interagency report, “Piloting Supply Chain Risk Management Practices for Federal Systems,” that proposes a set of best practices and asks for feedback from agencies putting them into use. “This is a bit of a new space for us, so we’re looking for feedback in the implementation space,” Scholl said.

Supply chain risk management involves assuring the authenticity and reliability of all elements of IT systems, including hardware, software and services, throughout their life cycle from development and acquisition through implementation and production use. IT systems “and their components are increasingly at risk of supply chain attacks from adversaries enabled by growing technological sophistication,” the NIST report states. The global nature of modern supply chains increases the complexity and risk because there is no single point of control and responsibility.

Supply chain risk management is an emerging area of IT security, Scholl said. “It has always been there,” he said. “Initially, we have focused on system and information security. As we have more maturity in those spaces, we’ve been able to broaden our view and see the supply chain as a credible risk area.”

Initiative 11 of CNCI calls for developing a multipronged approach to global supply chain risk management. DOD and DHS are leading the initiative, and the two departments have developed their own Supply Chain Risk Management Pilot Working Group. The civilian work group has used much of the DOD-DHS group's work to produce its best practices report. It has pulled together design, development and acquisition practices already in place that could apply to managing risk in the supply chain.

In developing the recommendations, the working group focused on practices already available that could be readily implemented at a reasonable cost. The practices are intended to apply to systems rated as high impact under the Federal Information Processing Standard 199 scheme for assessing risk.

Although those practices are supposed to help manage risk in the supply chain, they haven't faced real-world scrutiny.

“It is our intent that organizations begin to pilot the activities and the practices contained in this document and provide feedback on the practicality, feasibility, cost, challenges and successes,” the report states. “This is the first step in a much larger initiative of developing a comprehensive approach to managing supply chain risks.”

NIST plans to expand the document into a special publication to provide guidelines to agencies after the practices have been evaluated in operation.

NIST is asking for comments on the document, and they can be sent to scrm-nist@nist.gov by Aug. 15. Comments and lessons learned from testing the practices should be sent to the same e-mail address by Dec. 30.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above