secure supply chain

Supply chain highlighted in Risk Management Framework update

Supply chain risks are getting new attention in an updated risk management framework document from the National Institute of Standards and Technology. NIST's Risk Management Framework for Information Systems and Organizations -- A System Life Cycle Approach for Security and Privacy was first published in 2010, updated in 2014 and is getting a refresh right now, with the standards agency seeking comment from the public and stakeholders.

Previous editions of Special Publication 800-37 have mentioned supply chain as one of numerous risks organizations face in working with external partners, but in the new revision, supply chain risks get special attention. The document advises that information system managers integrate supply chain risk management into their overall risk management outlook to address "untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices" throughout the systems development lifecycle. 

The topic of supply chain risk is getting increasing attention across government, in areas ranging from election technology to telecommunications to the internet of things. The Government Accountability Office is putting together a much anticipated report on supply chain security, and agencies ranging from the Department of Commerce to the Federal Communications Commission are targeting foreign-owned IT and telecom gear manufacturers for new regulatory attention.

The NIST 800-37 update is also seeks to include top organizational managers, and not just systems owners and operators, in ongoing conversations about risk management practices.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected