The National Institute for Standards and Technology (NIST) is asking for help from the public to update one of its flagship cybersecurity guidelines and inform a new initiative on supply chain security.
In a Request for Information released Friday, the agency said it is seeking to update its Cybersecurity Framework to account for new digital security risks, technologies and resources. Meanwhile, it is launching a new project, the National Initiative for Improving Cybersecurity in Supply Chains, that is dedicated to “identifying tools and guidance for technology developers and providers, as well as performance-oriented guidance for those acquiring such technology.” Both projects are expected to involve a similar research focus on the supply chain.
“The Cybersecurity Framework was last updated in April 2018. Much has changed in the cybersecurity landscape in terms of threats, capabilities, technologies, education and workforce, and the availability of resources to help organizations to better manage cybersecurity risk,” the agency wrote. “That includes an increased awareness of and emphasis on cybersecurity risks in supply chains, including a decision to launch NIICS.”
Among the questions NIST is seeking to answer is whether the current framework allows for easy and effective communication about risks between organizations and their supply chain partners, customers and insurers; whether any restrictions on resources, information sharing or the workforce make it impractical to adopt or implement guidance from the framework; and ways to better align the updated framework with complimentary resources like the Risk Management Framework, the Secure Software Development Framework, the Guide to Industrial Control System Cybersecurity and others.
On the National Initiative for Improving Cybersecurity in Supply Chains, the agency wants to know about the most trenchant security challenges organizations face in their supply chains and how to build on related initiatives like its software security initiatives that have emerged as a result of President Joe Biden’s cybersecurity executive order last year. NIST is also interested in any narrowly applied programs on software or hardware assurance that could have broader application to securing the digital integrity of the global supply chain.
The agency will be accepting written or emailed comments from the public for the next 60 days.