News

Security Snippets: NIST publishes guide on due diligence for cyber supply chain risk management

""
""

Last week, the National Institute of Standards and Technology (NIST) released a “quick-start guide” to facilitate due diligence assessments from a cyber supply chain risk management perspective. The guide helps companies navigate due diligence under the agency’s Special Publication 800-161, which was revised in 2022 to address supply chain cybersecurity risks as directed by the Biden administration’s cybersecurity executive order.

Centered around information and communications technology suppliers, the guide outlines five particular categories for focusing diligence:

  • Supply chain tiers. The guide prompts acquirers to evaluate their supply chain beyond their direct suppliers and organize their suppliers into levels depending on their relationship with the aquirer (e.g., distinguishing between direct or “first-tier” suppliers and “second-tier” suppliers who offer services to those first-tier suppliers).
  • Foreign ownership, control or influence. This category involves assessing suppliers’ ties to governments and whether a foreign government holds “significant, ultimate, beneficial, or institutional ownership stake in the supplier.”
  • Provenance. Acquirers are advised to develop a “chronology” of its supply chain that tracks where components and subcomponents come from and who owns them at each stage.
  • Stability. Diligence considerations for stability focus on any risks or concerns that may impact a supplier’s ability to satisfy contractual obligations or compliance requirements, and anything which may impede product reliability.
  • Foundational cyber practices. The guide calls on acquirers to review both a supplier’s overall cybersecurity posture and the supplier’s product-specific practices for maintaining security.

For each category, NIST offers various research questions and other resources to help guide acquirers with their assessments. Emphasizing the importance of cyber diligence throughout the supply chain, the guide states that “[d]ue diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality.”

NIST invites the public to comment on the guide, with the comment period closing on December 16th.

NIST’s “quick-start guide” is designed to assist acquirers as they evaluate the various risks across their network of suppliers, focusing on supply chain tiers, foreign ownership, control or influence (FOCI), provenance, stability, and foundational cyber practices.

Search

Register now to receive personalized content and more!