A federal IT standards body has moved to add key supply-chain provisions to its risk management guidance at a time of growing concern that Russian and Chinese companies pose a threat to national security.
The National Institute of Standards and Technology on Wednesday released a draft update to its influential Risk Management Framework, which federal agencies use to assess cyber risk. The provisional update includes measures to guard against untrusted suppliers and the possibility of hackers slipping malicious code into the supply chain.
Defining — let alone securing — all the components and systems that organizations get from third parties can be a struggle, according to the document. One answer, NIST says, is building “a chain of trust” with suppliers to ensure that each one of them provides adequate security protections for their products.
The new measures are critical because of the globalized nature of the IT supply chain, according to NIST fellow Ron Ross, one of the publication’s authors.
With the United States importing IT products from around the world, “many times, we don’t know who built it, or how they built it, or what’s going on inside that black box,” Ross said Wednesday at a cybersecurity conference at the Department of Justice headquarters. “We need to understand more about supply chain.”
NIST’s proposals come as the U.S. government has cracked down on products made by Russian antivirus vendor Kaspersky Lab and Chinese telecom companies Huawei and ZTE.
Citing national security concerns, the Department of Homeland Security last September ordered federal agencies to remove all Kaspersky products from their networks. U.S. officials have also moved to counter what they say is the risk of Chinese espionage through telecom firms Huawei and ZTE. Last week, the Pentagon told vendors on military bases to stop selling smartphones and other products made by those two companies.
The NIST draft guidance also strives to get agencies, which store a vast amount of personally identifiable information (PII), to more tightly couple privacy and security considerations.
“When an information system processes PII, the organizations’ information security program and privacy program have a shared responsibility for managing the risks to individuals that may arise from unauthorized system activity or behavior,” the document states.
As Ross put it: “When it comes to protecting security and privacy, we want to make sure that all of the things come from the senior leadership and flow seamlessly downstream.”
Our expanding digital footprints, fueled by things like social media, make the need for privacy protections all the more acute, according to Ross.
“We desperately need to have good privacy safeguards and requirements that we can employ within the federal government so we can make sure we do our job to protect our personally identifiable information,” Ross said.
NIST’s draft update is open for public comment until June 22. The standards body plans to publish a final version in October.