What you don't know about the IT supply chain can hurt you
- By William Jackson
- Aug 22, 2013
Government increasingly relies on off-the-shelf hardware and software from a complex supply chain supporting the system lifecycle, from research and development through retirement and disposal. Too often, however, agencies lack awareness and control over this global network, the National Institute of Standards and Technology warns.
“This lack of visibility and understanding has decreased the control federal departments and agencies have with regard to the decisions impacting the inherited risks traversing the supply chain and the ability to effectively manage those risks,” NIST said in a draft version of guidelines for supply chain security.
Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations provides guidance for identifying, assessing and mitigating risk in the IT and communications technology supply chain, and on how to integrate this process as part of an agency’s overall risk management program.
The document is the product of a five-year initiative and draws on earlier NIST guidelines for risk management and security controls. The supply chain gets its own publication because of the threats posed by the increasing complexity and geographical diversity of modern business partnerships.
“Globalization of the commercial [IT and communications] marketplace provides increased opportunities for adversaries to directly or indirectly affect the management or operations of companies in a manner that may result in risks to the end user,” the document says.
Supply chain security has been recognized as an essential element of cybersecurity because of the possibility the software and equipment could be compromised at their sources with back doors or malicious code that could allow adversaries later access to critical IT systems. There also is a threat that counterfeit or other substandard products could jeopardize the safety of systems in which they are used.
Threats from other nations, which might control or influence vendors in the supply chain, can be sophisticated and difficult to detect, but significant risk can come from many sources in the chain, including individuals and companies seeking a competitive advantage.
The risk to any system is determined by the vulnerabilities within it, threats against these vulnerabilities, the likelihood of an exploit and the impact of an exploit. SP 800-161 contains a number of real-world scenarios for evaluating and mitigating risks in the supply chain, including:
- The possibility of counterfeit telecom parts introduced because of a company’s decision to discontinue some equipment.
- The threat of industrial espionage posed by business partnerships of contractors.
- The possibility of malicious code insertion by a foreign government or company.
- The unintentional compromise of a system by substituting or replacing some components.
The guidelines include a list of families of controls, ranging from access control to program management. Most of the controls are taken from NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, although one entirely new family specific to supply chain security, called provenance (tracking the history of a component or system, any changes made to it and who made those changes), has been added.
NIST is seeking feedback on the guidelines, particularly on how risk management of the IT and communications supply chain integrates with an agency’s overall risk management process, and how useful the threat scenarios and risk assessment processes are.
Comments on the initial draft of SP 800-161 should be sent by October 15 to email@example.com with "Comments NIST SP 800-161" in the subject line. A template for submitting comments is provided.
William Jackson is freelance writer and the author of the CyberEye blog.