With supply chain security grabbing headlines, NIST sees new relevance for its guidance

Supply chain is sexy again, and NIST hopes that means more companies take its supply chain risk guidance seriously.

supply chain management connections - ERP - Enterprise Resource Planning

Cybersecurity in the supply chain is a dense, massively complicated topic that lies beyond the comprehension of all but a few dedicated experts. It has nonetheless risen to the top of security challenges organizations face today. “Supply chain is the new black. Supply chain is sexy again. That’s kind of hard to imagine,” said Jon Boyens, manager, security engineering and risk management at the National Institute of Standards and Technology (NIST). Boyens, who manages cybersecurity supply chain efforts at the National Institute of Standards and Technology (NIST), made that comment during a plenary session at NIST’s Cybersecurity Risk Management Conference.

NIST’s long history with supply chain risk

NIST is an old hand at supply chain outside the cybersecurity realm, starting decades ago when it began developing guidance for managing risk in global industrial and defense supply chains. “Supply chain is the most mature in its gestation because we’ve had all sorts of permutations along the way. This is an old topic for defense organizations,” says Matt Barrett, NIST’s Cybersecurity Framework lead.

NIST began its cybersecurity supply chain risk management efforts in 2008 and worked for several years engaging with the private sector to develop recommendations and guidance. “I have a lot of scars from that effort,” Boyens joked. NIST came out with its flagship supply chain guidance in 2015, focusing first on the federal government and producing a complex 300-plus page tome on how agencies can get supply chain right.

That document, NIST Special Publication 800-161, Supply Chain Risk Management, Practices for Federal Information, Systems and Organizations, is its most comprehensive set of guidance to date on supply chain risk management. In its latest iteration of the NIST Cybersecurity Framework, NIST added some key supply chain subcategories as guidance to organizations.

This guidance, simplified and mapped to the new NIST Cybersecurity Framework categories, is:

To continue reading this article register now

Microsoft's very bad year for security: A timeline