FDAnews
www.fdanews.com/articles/13077-nist-issues-cybersecurity-framework-with-new-focus-on-supply-chain-risk

NIST Issues Cybersecurity Framework With New Focus on Supply Chain Risk

April 27, 2018

The National Institute for Standards and Technology released a new cybersecurity framework that focuses on supply chain risks and risk management.

Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity “should be every company’s first line of defense,” and adopting the new version is a “must do for all CEOs,” said Commerce Secretary Wilbur Ross.

The voluntary framework consists of standards, guidelines and best practices. The updated document includes a new section on self-assessment; how to use the framework for cyber supply chain risk management purposes; refinements to better account for authentication, authorization, and identity proofing; and coordinated vulnerability disclosure.

Cyber supply chain risk management activities may include:

  • Determining cybersecurity requirements for suppliers;
  • Enacting cybersecurity requirements through formal agreements;
  • Communicating to suppliers how cybersecurity requirements will be verified and validated; and
  • Verifying that cybersecurity requirements are met through a variety of assessment activities.

The core of the NIST framework consists of five functions — identify, protect, detect, respond and recover. Considered together these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.

Devicemakers can use their existing processes and leverage the framework to identify opportunities to strengthen and communicate cybersecurity risks while aligning with industry practices.

“Organizations will continue to have unique risks — different threats, different vulnerabilities, different risk tolerances,” NIST said. “They also will vary in how they customize practices described in the Framework.”

Cyber supply chain risk management addresses both the “cybersecurity effect an organization has on external parties and the cybersecurity effect external parties have on an organization,” NIST says. A primary objective of cyber supply chain risk management is to identify, assess, and mitigate “products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.”

Read the NIST framework here: www.fdanews.com/04-24-18-NISTframework.pdf.