Supply chain, Governance, Risk and Compliance

NIST wants public input on updates to Cybersecurity Framework, supply chain security

An employee points at motherboards at the Intel stand at the 2009 CeBIT technology trade fair. The National Institute for Standards and Technology are prepping for a supply chain focused update to its Cybersecurity Framework. (Photo by Sean Gallup/Getty Images)

The National Institute for Standards and Technology (NIST) is asking for help from the public to update one of its flagship cybersecurity guidelines and inform a new initiative on supply chain security.

In a Request for Information released Friday, the agency said it is seeking to update its Cybersecurity Framework to account for new digital security risks, technologies and resources. Meanwhile, it is launching a new project, the National Initiative for Improving Cybersecurity in Supply Chains, that is dedicated to “identifying tools and guidance for technology developers and providers, as well as performance-oriented guidance for those acquiring such technology.” Both projects are expected to involve a similar research focus on the supply chain.

“The Cybersecurity Framework was last updated in April 2018. Much has changed in the cybersecurity landscape in terms of threats, capabilities, technologies, education and workforce, and the availability of resources to help organizations to better manage cybersecurity risk,” the agency wrote. “That includes an increased awareness of and emphasis on cybersecurity risks in supply chains, including a decision to launch NIICS.”

Among the questions NIST is seeking to answer is whether the current framework allows for easy and effective communication about risks between organizations and their supply chain partners, customers and insurers; whether any restrictions on resources, information sharing or the workforce make it impractical to adopt or implement guidance from the framework; and ways to better align the updated framework with complimentary resources like the Risk Management Framework, the Secure Software Development Framework, the Guide to Industrial Control System Cybersecurity and others.

On the National Initiative for Improving Cybersecurity in Supply Chains, the agency wants to know about the most trenchant security challenges organizations face in their supply chains and how to build on related initiatives like its software security initiatives that have emerged as a result of President Joe Biden’s cybersecurity executive order last year. NIST is also interested in any narrowly applied programs on software or hardware assurance that could have broader application to securing the digital integrity of the global supply chain.

The agency will be accepting written or emailed comments from the public for the next 60 days.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.