Customer Service:
Mon - Fri: 8:30 am - 6 pm EST

Standards Support Business Resilience: NIST Releases Cyber Supply Chain Risk Management Strategies

2/5/2020
ANSI Encourages Stakeholder Feedback on the Draft Document

In an effort to reduce cybersecurity risks within global supply chains, the National Institute of Standards and Technology (NIST) this month released a draft guidebook on cyber risk management for businesses of all types. Among its key recommendations, NIST underscores the use of industry standards to determine supplier criticality. The American National Standards Institute (ANSI) encourages stakeholder feedback on the draft, which is open for public comment until March 4, 2020.

The guidance builds on research from NIST's Cyber Supply Chain Risk Management (C-SCRM) program and information from company interviews in 2015 and 2019. NIST has also published 24 case studies that demonstrate how different companies—including ANSI members Mayo Clinic, Palo Alto Networks, Inc., and Seagate Technology—implement cyber assessment strategies to protect their businesses.

Safety First: How Cyber Supply Chain Risk Management Supports Business Security

Regardless of organization type—from aerospace to manufacturing—supply chain compromise has the potential to disrupt business and filter down to products and services. A breach in the supply chain can be costly and pose major safety issues. Although businesses may be well equipped with security tools and protection, they need to assess whether the links throughout their supply chain have the same type of protection to avoid hacks.

"Cyber Supply Chain Risk Management," is defined by NIST as the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of [Information Technology/Operational Technology] IT/OT product and service supply chains. Additionally, it covers "the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage."

NIST launched its Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) program in 2008 to develop guidelines on mitigation and implementation methodologies.

Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276), details key practices for organizations of any size, scope, and complexity, with additional resources for further research into C-SCRM best practices, including those specific to their industry.

E-mail feedback to scrm-nist@nist.gov by March 4, 2020.

ANSI Logo

As the voice of the U.S. standards and conformity assessment system, the American National Standards Institute (ANSI) empowers its members and constituents to strengthen the U.S. marketplace position in the global economy while helping to assure the safety and health of consumers and the protection of the environment.

CUSTOMER SERVICE
NEW YORK OFFICE
ANSI HEADQUARTERS