The National Institute of Standards and Technology (“NIST”) is seeking comments on its draft NIST SP 800-161 Rev. 1, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” published on April 29, 2021. The public comment period currently is open and concludes on June 14, 2021. NIST anticipates releasing a second draft in September 2021, with a final version anticipated to be released by April 2022.

Primarily, the updates to NIST SP 800-161 are focused on helping organizations identify, assess, and respond to cyber supply chain risks while remaining aligned with other fundamental NIST cybersecurity risk management guidance. The revision to NIST SP 800-161 is designed to incorporate next generation cyber supply chain risk management (“C-SCRM”) controls, strategies, policies, plans, and risk assessments into broader enterprise risk management activities through the application of a multi-level approach. The ultimate goal of these major updates is to provide implementation guidance in a “more modular and consumable manner for acquirers, suppliers, developers, system integrators, external system service providers, and other information and communications technology (ICT)/operational technology (OT)-related service providers.”

Additionally, in an interview with Inside Cybersecurity, the Deputy Chief of NIST’s Computer Security Division, Jon Boyens, stated in an interview that the updates to NIST SP 800-161 seek to address a “big gap” related to acquisition and procurement. To that end, NIST SP 800-161 describes how acquisition activities are essential to the improvement of managing cyber supply chain risks “at every step of the procurement and contract management process.” Acquisition is listed as one of the five success factors, which are all described as “requisite organizational processes and capabilities to make C-SCRM successful.” The remaining factors are (1) Supply Chain Information Sharing, (2) C-SCRM Training and Awareness, (3) Capability Implementation Measurement and C-SCRM Metrics, and (4) Dedicated Resources.

As mentioned, the comment period for this draft closes June 14, 2021. With a clear focus on acquisition and procurement in this major update to NIST SP 800-161, it is important that contractors provide industry perspective as NIST seeks to address this issue. More information on the commenting process can be found on the NIST website.

            Guidance on Software Supply Chain Security

Seeking to provide further guidance regarding cyber supply chain risk management, NIST and the Cybersecurity and Infrastructure Security Agency (“CISA”) also released guidance titled “Defending Against Software Supply Chain Attacks” in April 2021. This guide serves as a primer for companies, providing readers with an overview of risks related to software supply chain and recommendations regarding how both software customers and vendors can identify, assess, and mitigate these risks by using the NIST C-SCRM framework and the Secure Software Development Framework (“SSDF”).

The guide describes the Information and Communications Technology (“ICT”) Supply Chain Lifecycle as having six phases: (1) design, (2) development and production, (3) distribution, (4) acquisition and deployment, (5) maintenance, and (6) disposal. An example is provided for each, such as the SolarWinds hack under Phase 2, Development and Production, or the Kaspersky Antivirus under Phase 4, Acquisition and Development. The guide also provides information regarding common attack techniques, such as hijacking updates or compromising open-source code, and the consequences of software supply chain attacks.

Additionally, there are eight suggested NIST practices listed in the guide:

  1. Integrate C-SCRM across the organization
  2. Establish a form C-SCRM program
  3. Know and manage critical components and suppliers
  4. Understand the organization’s supply chain
  5. Closely collaborate with key suppliers
  6. Include key suppliers in resilience and improvement activities
  7. Assess and monitor throughout the supplier relationship
  8. Plan for the full lifecycle

By establishing these eight key practices, organizations will be in a position to better prevent, mitigate, and respond to software vulnerabilities that potentially introduced through the cyber supply chain and eventually exploited by malicious actors. Companies that sell software to the government should familiarize themselves with this guidance as well as the Biden Administration’s recent Executive Order on cybersecurity (here), which calls for new software standards and recommendations for actions to mitigate risk associated with supply chain attacks.