With supply chain security grabbing headlines, NIST sees new relevance for its guidance

Cybersecurity in the supply chain is a dense, massively complicated topic that lies beyond the comprehension of all but a few dedicated experts. It has nonetheless risen to the top of security challenges organizations face today. “Supply chain is the new black. Supply chain is sexy again. That’s kind of hard to imagine,” said Jon Boyens, manager, security engineering and risk management at the National Institute of Standards and Technology (NIST). Boyens, who manages cybersecurity supply chain efforts at the National Institute of Standards and Technology (NIST), made that comment during a plenary session at NIST’s Cybersecurity Risk Management Conference.

NIST’s long history with supply chain risk

NIST is an old hand at supply chain outside the cybersecurity realm, starting decades ago when it began developing guidance for managing risk in global industrial and defense supply chains. “Supply chain is the most mature in its gestation because we’ve had all sorts of permutations along the way. This is an old topic for defense organizations,” says Matt Barrett, NIST’s Cybersecurity Framework lead.

NIST began its cybersecurity supply chain risk management efforts in 2008 and worked for several years engaging with the private sector to develop recommendations and guidance. “I have a lot of scars from that effort,” Boyens joked. NIST came out with its flagship supply chain guidance in 2015, focusing first on the federal government and producing a complex 300-plus page tome on how agencies can get supply chain right.

That document, NIST Special Publication 800-161, Supply Chain Risk Management, Practices for Federal Information, Systems and Organizations, is its most comprehensive set of guidance to date on supply chain risk management. In its latest iteration of the NIST Cybersecurity Framework, NIST added some key supply chain subcategories as guidance to organizations.

This guidance, simplified and mapped to the new NIST Cybersecurity Framework categories, is:

• Identify, establish and assess cyber supply chain risk management processes and gain stakeholder agreement
• Identify, prioritize and assess suppliers and third-party partners of suppliers.
• Develop contracts with suppliers and third-party partners to address your organization’s supply chain risk management goals.
• Routinely assess suppliers and third-party partners using audits, test results and other forms of evaluations.
• Test to make sure suppliers and third-party providers are able to respond to and recover from service disruption

A new era of supply chain risk management

Now, “We’re in a different era, we’re really focused on awareness,” Boyens said, “because we’re in another hype cycle.” Several recent moves by the U.S. federal government to ban foreign suppliers due to alleged supply chain security risks are in part driving this hype cycle, which has further propelled the topic to the top of every CISO’s agenda.

First, late last year a new bill was signed into law that banned government use of products made by Russian cybersecurity firm Kaspersky Lab, following a months-long, and some say years-long, effort to rout the firm due to its alleged close ties to the Kremlin. In August of this year, another bill became law that bans the use of Chinese telecom tech suppliers Huawei and ZTE by the government and government contractors due to the firms’ ties with the Chinese government.

More recently, a controversial and widely criticized Bloomberg Businessweek story about China implanting spy chips into motherboards made by Super Micro drew frenzied levels of attention to the topic of supply chain, despite the fact that no evidence has been produced that the story is true and all the principles involved, including Apple’s CEO Tim Cook, roundly refuted the article.

(In an interview, Boyens reaffirms the skepticism over the article. “I’ve yet to see any researchers come out with evidence, and usually the research community with something like this would be very focused on it,” he says. “I would say it’s much more difficult with software to have traceability. With hardware I suspect we would by now have some evidence.”)

The actions to limit foreign suppliers due to supply chain security risks are questioned by many cybersecurity experts. Later, in a deep dive “lunch and learn” session at the NIST conference, Boyens said he has tried to “explain you can’t do foreign versus not-foreign because in today’s world, it doesn’t matter. You can have a foreign company that has manufacturing plants in the U.S. You can have a U.S.-owned manufacturer plant in the U.S. that hires foreign workers. It’s so complex now, it just doesn’t matter.”

Disruption coming to the supply chain

During his session, Boyens said, “There are going to be disruptions in supply chain; it’s inevitable, it happens.” The real stumbling block right now is who owns the problem. Holding up a smartphone, he said, “If there is something in here that has an extra functionality, who’s liable for that? Is it the carrier? Is it the phone manufacturer?” Typically, it’s the weakest link in the supply chain that’s the culprit. “Attackers are going to the weaker link.”

From a broader perspective, today’s supply chain woes can be traced back to the shift away from proprietary technology that dominated the tech landscape in the 1980s to early 1990s. Twenty-five years ago, 80 percent to 90 percent of products used customized or proprietary technology, but today that ratio is reversed.

“Yes, we’ve reaped the rewards…the system has given us cheaper products, more innovative products, but it’s also made us more dependent on all of those products. It’s also created more security risks,” Boyens said. “There’s decreased understanding about how those products and services are made, where they come from, who is touching them. It’s a matter of a lack of control over how to manage that risk and how to overcome that.”

Multiple federal agencies working on supply chain security

NIST is taking several steps to get its arms around the problem, some of which differs from the supply chain approaches used by other government agencies. NIST participated in the update of the OMB Circular A-130, for example, the governing document for the management of information resources, and “throughout we sprinkled some supply chain love. It really only requires agencies to have a supply chain risk management plan.”

NIST also recently updated a policy for supply chain risk management for national security systems found in CNSS Directive (CNSSD) 505, which directs agencies to have a supply chain risk management program for national security systems. NIST also worked to bring supply chain into the latest iteration of NIST’s Cybersecurity Framework, a move that was too controversial when the Framework was first released in 2014.

“We did not put supply chain into the first version of the Framework because the Framework at the time was fairly controversial. Sectors feared it would become a tool for regulations. We decided not to marry two very controversial people,” Boyens said.

Another effort that NIST is involved in is a project by the Department of Homeland Security (DHS), the ICT Supply Chain Task Force, which has been charged with developing consensus recommendations for identifying and managing global supply chain risks. “Supply chain is the 2019 issue du jour,” Robert Mayer of US Telecom and a co-director of the task force, said during a panel discussion on supply chain initiatives at the conference.

In terms of the federal government’s focus, “The supply chain issue is actually now spreading into other areas of policymaking,” John Miller, of the Information Technology Industry Council and the other co-director of the task force, says. Given the hype cycle, the government’s renewed interest in supply chain may not yet be headed into the right direction. “It’s difficult for policymakers to implement risk-based solutions when there are other blunter tools to solve the problem. Country of origin is an issue but it’s not the only issue.”

However, “the nice thing about the renewed focus is that it gives a push to the marketplace to up the innovation. Government, the ecosystem writ large, is thinking about it,” another task force member, Evelyn Remaley, deputy associate administrator in the Office of Policy Analysis at the National Telecommunications Information Administration (NTIA), says.

A big challenge for some organizations is the lack of information on what the supply chain threats are. “I think we have good processes in place from a comms perspective,” task force member Chris Boyer, assistant VP for global public policy at AT&T says. “What would be helpful is having more intelligence coming in from the intelligence community. Today the process to get that information is a little more ad hoc. “

One goal for the task force is to take a strategic approach to the problem of cybersecurity supply chain risk management. “We want to make sure we’re taking a strategic approach about this problem. We want to get quick wins in the board but we don’t want to go off and do scattershot things,” Miller says. “The task force isn’t going to solve all [the supply chain] problems.”