The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) recently published updated guidance for reducing cybersecurity risks in supply chains.

Titled “Software Supply Chain Security Guidance,” the update is NIST’s response to directives issued by an executive order by President Joe Biden, designed to improve cybersecurity in the United States. 

This NIST guidance is assumed to target federal agencies. However, NIST points out that it can apply to all kinds of organizations. It’s one of the most thorough references out there for cyber supply chain risk management. 

Don’t want to read a 326-page document? Here are the 10 key takeaways that can inform your efforts to secure your supply chain. 

Consider Specific Components of Vulnerabilities 

NIST suggests an atomized view of vulnerabilities. They call for considering not only products but each specific component. Don’t forget “the journey those components took to reach their destination,” either.  

Supply Chains at Risk 

Supply chains are more at risk than ever. Companies manufacture products all over the world, and those products are complex. Different manufacturers from different places may assemble individual components from parts coming from around the world. Each of the dozens, hundreds or thousands of sources for the parts that go into complex machinery, computers and other devices may themselves fall victim to attacks aimed at breathing supply chains. All of this is true of software as well as hardware. 

Customize Guidelines

The NIST guidelines aren’t one-size-fits-all dictates. Instead, the agency designed the principles and practices to be customized. The document says, “Enterprises should identify, adopt, and tailor the practices described in this document to best suit their unique strategic, operational, and risk context.”

Automation Is Essential

You can’t follow the NIST guidelines without automation. In fact, businesses need to automate their risk management workflow in today’s complex supply chain world. 

Every Employee Matters

It takes a village to secure an enterprise. This document dragoons every worker into service as cybersecurity guardians. Plus, it points out that all organizations are interconnected. Finding vulnerabilities in one component of your supply chain often protects others. 

Don’t Skip Appendix A 

Appendix A contains the most important updates. This is the guidelines’ extensive list of “security controls,” which are either safeguards or countermeasures. NIST sorts them into “families,” such as “access control,” “incident response,” “risk assessment” and many others. This is the part that received the greatest amount of bolstering and additions in the new guidelines. 

Zero Trust Matters

The NIST guidance calls for zero trust in supply chains. They don’t belabor the ‘zero trust’ buzzword, but the idea is embedded in the security controls. Under the “access control” family, for example, the document says that “organizations must limit information system access to authorized users, processes acting on behalf of authorized users, devices (including other information systems), and the types of transactions and functions that authorized users are permitted to exercise.”

The “access enforcement” section also points out that “information systems and the supply chain have appropriate access enforcement mechanisms in place.” The guidance contains a lot more about what that means, how enforcement should work and other details. It all adds up to zero trust. 

Supply Chain Connections 

The updated NIST guidance makes it clear that supply chain infrastructure and resources aren’t something separate. Instead, they include information technology and operational technology. NIST also calls out Internet of Things devices, software and services. 

Something for Everyone

It’s not just developers who should read, study and refer to the “Software Supply Chain Security Guidance.” Instead, NIST points out that it has a very broad target audience. The new guidance is relevant to managers, engineers, business owners, developers, project managers, procurement managers and anyone with procurement responsibilities. NIST also designed it for all logistics leaders, system integrators, property managers, continuity planners, anyone involved in privacy, component producers and, of course, everyone involved in cybersecurity. 

Prioritize the Right Risk

Prioritization is key to supply chain risk management. The guidance goes into some detail on risk, how to develop a formal understanding of where the greatest risk lies in the supply chain and how to prioritize and take action on those biggest risks. It also offers advice on viewing risk on three levels: the enterprise, business process and operational levels. 

With endless time, personnel and resources, you could follow the updated NIST “Software Supply Chain Security Guidance” to the letter. In the real world, the document provides a comprehensive, if inevitably aspirational, catalog of risks and remedies for securing supply chains. The guidance can provide a practical roadmap by combining risk prioritization with automation, artificial intelligence and other tools. Plus, it’s a valuable educational tool for the many employees who don’t see themselves as needing to put security first. 

More from Risk Management

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…