The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for addressing software supply-chain risk, offering tailored sets of suggested security controls for various stakeholders.
Software supply-chain attacks rocketed to the top of the enterprise worry list last year as the SolarWinds and Log4Shell incidents sent shockwaves through the IT security community. Security practitioners are increasingly concerned about the safety of open-source components and third-party libraries that make up the building blocks of thousands of applications. Another cause of worry is the varied ways platforms can be abused, as in the Kaseya attack last year, when cyber criminals compromised a managed application, or with SolarWinds, where they hacked an update mechanism to deliver malware.
NIST’s latest publication offers specific risk-management guidance for profiles such as cybersecurity specialists, risk managers, systems engineers, and procurement officials. Each profile matches up with a set of recommended controls, such as implementing secure remote access mechanisms for tapping the software supply chain, enacting the principle of least privilege, or taking an inventory of all software suppliers and products.
The revised publication formally titled Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), provides guidance on identifying, assessing, and responding to cybersecurity risks throughout the supply chain at all levels of an organization.
The primary audience for the revised publication is acquirers and end-users of products, software, and services. The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks