Hogan Lovells 2024 Election Impact and Congressional Outlook Report
15 November 2024
Last week, the National Institute of Standards and Technology (NIST) released a “quick-start guide” to facilitate due diligence assessments from a cyber supply chain risk management perspective. The guide helps companies navigate due diligence under the agency’s Special Publication 800-161, which was revised in 2022 to address supply chain cybersecurity risks as directed by the Biden administration’s cybersecurity executive order.
Centered around information and communications technology suppliers, the guide outlines five particular categories for focusing diligence:
For each category, NIST offers various research questions and other resources to help guide acquirers with their assessments. Emphasizing the importance of cyber diligence throughout the supply chain, the guide states that “[d]ue diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality.”
NIST invites the public to comment on the guide, with the comment period closing on December 16th.
NIST’s “quick-start guide” is designed to assist acquirers as they evaluate the various risks across their network of suppliers, focusing on supply chain tiers, foreign ownership, control or influence (FOCI), provenance, stability, and foundational cyber practices.