The National Institute for Standards and Technology will look to update its Cybersecurity Framework to account for potential security weaknesses in the supply chain and align it with other NIST guidance.
At a public meeting this week Kevin Stine, NIST’s chief of the Applied Cybersecurity Division, said the agency would put out a request for information early next year to canvass industry on how to shape the update.
One of the main “pillars” of the query will focus on incorporating new guidance to help organizations address security challenges within their internal supply chains. While the agency has been studying the topic years, interest and the desire from industry for clear guidance on how to manage that risk has shot up the past few years as nation state and criminal hackers increasingly take advantage of compromises at major software or cloud providers to infect their downstream customers.
“I think, you know, almost every conversation we participate in today…it all comes back to different dimensions of the supply chain,” said Stine Wednesday at a meeting of the Information Security and Privacy Advisory Board.
The updates will also feed into NIST’s supply chain risk management program as well as an initiative launched by the Department of Commerce following President Biden’s cybersecurity summit in August to assess ways to build and assess secure technologies, evaluate open source software, develop international standards and provide advice that is specifically tailored to the supply chain challenges of small businesses.
The Cybersecurity Framework is one of NIST’s flagship publications, a voluntary set of cybersecurity guidelines that are widely adopted across different industries in the United States and around the world. It was last updated in 2018 and while previous revisions do touch on supply chain issues, Stine said the agency wants “to get feedback on whether we went far enough, is there more we can do and are there other resources that would provide value to the community?”
In addition to new supply chain guidance, the RFI will also likely address ways to make the framework more consistent with other NIST documents, like the Privacy Framework, Risk Management Framework, Secure Software Development Framework and others.
“We’re very conscious of the types and the volume of resources that we issue and we want to make sure that the things that we produce actually do provide value and are aligned and harmonize as much as possible with the other resources that we produce,” Stine said.