NIST issues IT supply chain risk management guide


Historically, federal departments and agencies had no consistent or comprehensive methodology for recognizing supply chain compromises in their information technology products and services, says a recently published National Institute of Standards and Technology interagency report (.pdf). The NIST document aims to remedy that by outlining repeatable and "commercially reasonable" supply chain assurance practices.

The report suggests best practices for acquirers, integrators and suppliers working with information systems categorized at the Federal Information Processing Standards 199 high-impact level. It also offers supply-chain-focused evaluation criteria for agencies to assess integrators or suppliers, element processes and elements.

Agencies should consider the organizational history of the supplier, foreign interests and influences, financial history, facilities and personnel security policies, according to report authors. Element processes run the full element life cycle, so agencies should consider risk management at each phase, from concept and planning to disposal, says NIST.

Elements can be compromised through the intentional or unintentional addition of malicious functionality, weaknesses and counterfeits. The report recommends agencies consider an element's architecture and design characteristics, element history and licensing and its publicly available record of vulnerabilities.

Evaluation criteria should also include indications of security consciousness in suppliers' processes and the resulting systems. If there are past vulnerabilities, agencies should consider the speed of patching and how the supplier addresses current known yet unfixed vulnerabilities, says NIST.

"Without reasonable visibility and traceability into supply chain, e.g., elements, processes, and actors, it is impossible to understand and therefore manage risk," write report authors.

The report suggests 10 practices for mitigating supply chain risks through the complete systems development lifecycle:

  • Identify supply chain elements, process and actors;
  • Limit access and exposure in the supply chain;
  • Establish and maintain the provenance of elements, processes, tools and data;
  • Share information in a coordinated and contained way;
  • Conduct training around supply chain risks;
  • Use defensive design;
  • Continuously review integrators;
  • Strengthen delivery mechanisms;
  • Assure sustainment activities and practices; and
  • Manage disposal and final disposition.

While the report outlines best practices and strategies, federal agencies are not required to implement the techniques suggested in the document. The document notes that a forthcoming special publication, which would mandate implementation on the part of federal agencies, will draw from this IR and be fully harmonized with draft NIST SP 800-53 Revision 4 (.pdf).

For more:
- download the report, NIST IR 7622 (.pdf)

Related Articles:
IT supply chain central to new DoD instruction
Counterfeit milspec electronics easily bought online
Q&A: NIST's Marianne Swanson on cyber supply chain risk management