NIST releases draft document on cybersecurity supply chain risk management practices for systems, organizations
The National Institute of Standards and Technology (NIST) has released the second public draft of its Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations for public comment. The document lays down guidelines for enterprises on how to identify, assess, select, and implement risk management processes, in addition to mitigating controls across the enterprise to help manage cybersecurity risk in the supply chain.
The initial public draft was published in April, ahead of U.S. President Joe Biden’s Executive Order (EO) 14028 on ‘Improving the Nation’s Cybersecurity’ that charged multiple federal agencies, including the NIST with enhancing cybersecurity through a variety of initiatives, but with a specific focus on the security and integrity of the software supply chain.
The complex, interconnected, and globally distributed supply chain ecosystem is made up of IT and operational technology (OT) networks consisting of multiple levels of outsourcing. The ecosystem is composed of public and private sector entities including suppliers, system integrators, and other ICT/OT-related service providers, working along with technology, law, policy, procedures, and practices that interact to conduct research and development, design, manufacture, acquire, deliver, integrate, operate, maintain, dispose of, and otherwise utilize or manage ICT/OT products and services.
The C-SCRM is a systematic process that manages exposures to cybersecurity risks, threats, and vulnerabilities throughout the supply chain and develops appropriate response strategies presented by the supplier, supplied products, services, and the supply chain. The enterprise-wide activity should be directed under the overall enterprise and/or enterprise governance, regardless of the specific enterprise structure.
In its Special Publication (SP) 800-161 Revision 1, open for public comment till Dec. 3, the C-SCRM guidance is not one-size-fits-all. Instead, the document should be adopted and tailored to the unique size, resources, and risk circumstances of each enterprise. Enterprises adopting this guidance may vary in with regard to the progress toward implementing and adopting C-SCRM practices internally. To that end, the document describes key practices observed in enterprises, and offers a general prioritization of C-SCRM practices, for enterprises to consider as they implement and mature C-SCRM.
NIST pointed out that when engaging with suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers, agencies should carefully consider the breadth of the federal government’s footprint and the high likelihood that individual agencies may enforce varying and conflicting C-SCRM requirements. Overcoming this complexity requires interagency coordination and partnerships.
One of the focus areas in the current edition of the NIST 800-161 Revision 1 is that it provides additional guidance specific to federal executive agencies related to supply chain risk assessment factors, assessment documentation, risk severity levels, and risk response. The Federal Acquisition Supply Chain Security Act of 2018 (FASCSA), Title II of the SECURE Technology Act was enacted to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks.
The law also set up the Federal Acquisition Security Council (FASC), an interagency executive body at the federal enterprise level. The council is authorized to perform a range of functions intended to reduce the federal government’s supply chain risk exposure and risk impact.
The FASCSA provides the FASC and executive agencies with authorities relating to mitigating supply chain risks, including exclusion and/or removal of sources, and covered articles. It also mandates agencies conduct and prioritize supply chain risk assessments (SCRAs), and addresses the need for a baseline level of consistency and alignment between agency-level C-SCRM risk assessment and response functions and those SCRM functions occurring at the government-wide level by authorized bodies such as the FASC.
NIST anticipates publishing the final version by April next year, though these dates are subject to change.
Kaspersky said last week that one of the key trends that it has seen in the third quarter this year was that it continues to detect supply-chain attacks, including those of SmudgeX, DarkHalo, and Lazarus. Based on its investigation, Kaspersky found indications that point to Lazarus building supply-chain attack capabilities. In one case, it found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload, and in another instance, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.
The EU Agency for Cybersecurity, ENISA also said in July that the threat landscape for supply chains revealed that for about 58 percent of the supply chain incidents analyzed, the customer assets targeted were predominantly customer data, including personally identifiable information (PII) data and intellectual property.
It also found that for 66 percent of the supply chain attacks analyzed, suppliers did not know, or failed to report on how they were compromised, ENISA said. However, less than nine percent of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users, the report added.
Microsoft revealed last month that Russian nation-state hacker Nobelium is attacking a different part of the supply chain, including resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. The recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establishes a mechanism for surveilling – now or in the future – targets of interest to the Russian government.
Nobelium is the same Russian hacking group behind last year’s SolarWinds hack.
Related
