New guidance from the National Institute of Standards and Technology is aimed at helping organizations better understand the risks associated with the information and communications technology supply chain, including security vulnerabilities that could appear in purchased technologies.
"The supply chains have become more complex," says Jon Boyens, a NIST senior adviser for information security, who co-authored the just-published Special Publication 800-161,, "The Supply Chain Risk Management Practices for Federal Information Systems and Organizations."
"The information systems in which the government agencies depend upon [also] have become much more complex," Boyens says in an interview with Information Security Media Group. "And, the scale and number of systems on which we depend upon has increased significantly. Part of it is that complexity [decreases] the visibility and understanding government acquirers [of IT wares] have in the products and services that they use."
The new NIST publication, issued earlier this month, provides guidance on identifying, assessing and mitigating risks at all levels of the information and communications technology supply chain risks. Although tailored for federal government agencies, Boyens says most of the recommendations could apply to organizations in all sectors.
Supply chain risks could include insertion of counterfeit products, unauthorized production, product tampering, theft, insertion of malicious software and hardware as well as poor manufacturing and development practices, Boyens explains. These risks are associated with an organization's decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated and deployed as well as the practices used to ensure the integrity, security, resilience and quality of the products and services.
Supply Chain Risks
In the interview, Boyens discusses:
- The increased use by government and other organizations of commercial off-the-shelf software that could become infected with malware or coded in a way that could make IT systems vulnerable;
- Why the cost of software could increase because organizations' insistence that safeguards against supply chain vulnerabilities be built into products they acquire; and
- Who within an agency or enterprise should be responsible for assessing supply chain risk management.
Since October 2010, Boyens has led the information and communications technology supply chain risk management program at NIST, which is part of the Commerce Department. He has helped develop and coordinate cybersecurity policy among Commerce Department bureaus. He also has worked on various White House-led initiatives, including those on trusted identities, identifying botnets, supply chain management and the NIST cybersecurity framework. Boyens also served as the Commerce secretary's cybersecurity policy adviser as well as associate director of the Office of Technology and E-Commerce in the International Trade Administration.