NIST Releases Quick-Start Guide for Cybersecurity Supply Chain Risk Management

NIST released an initial public draft of the Cybersecurity Supply Chain Risk Management: Due Diligence Assessment Quick-Start Guide. People who make cybersecurity supply chain purchasing decisions can use the guide for managing supply chain risk in accordance with NIST Special Publication (SP) 800-161 (Revision 1). The information in the quick start guide applies to any type of vendor, but it was drafted to focus on information and communications technology (ICT) suppliers. It is a supplement to the content within SP 800-161r1 and is not intended to replace it.

Cybersecurity Supply Chain Risk Management: Due Diligence Assessment Categories

The quick start guide includes the following categories for organizations to research when selecting vendors:

Supply Chain Tiers

Suppliers are organized into tiers based on their relationship to the end user.
• First-tier suppliers provide products and/or services directly to the end user.
• Second-tier suppliers provide products and/or services to first-tier suppliers.
• The tiers can go down to any level, depending on organizational preference. Going down further in the supply chain tier structure increases one’s visibility and understanding, but the difficulty and cost exponentially increase.

Foreign Ownership, Control, or Influence (FOCI)

FOCI considerations for a supplier constitute significant ties to governments or government-controlled interests outside of the designated focal country with the power to affect the company’s management or operations.

Provenance

Chronology of the origin, development, ownership, location, and changes to a system or system component, associated data, personnel, and services.

Stability

Information that potentially impacts a supplier’s ability to meet contractual obligations, including product reliability, and compliance with government regulations.

Foundational Cyber Practices

Research the cyber health of the supplier’s public-facing IT assets to measure its ability to deliver promised services and safeguard sensitive data. Also learn about the supplier’s use of cybersecurity key practices when developing products as well as product-specific concerns that cause offerings to not operate as the manufacturer originally intended, including software and firmware found in hardware products.
NIST is accepting public comment on this draft. Comments are due on December 16th, 2024, and can be emailed to scrm-nist@nist.gov.
The Cybersecurity Supply Chain Risk Management: Due Diligence Assessment Quick-Start Guide can be downloaded here or by clicking on the image below.

CompliancePoint offers a suite of cybersecurity services designed to help organizations design and implement effective security programs. We can also help businesses comply with a variety of cybersecurity standards, including NIST, CMMC, FedRAMP, ISO 27001, SOC 2, PCI DSS, and more. Contact us at connect@compliancepoint.com to learn more about our services.