NIST (National Institute of Standards and Technology) is a federal agency under the responsibility of the US Department of Commerce. Established in 1901 to promote innovation and industrial competitiveness in the US, NIST helps organizations advance measurement science, technology, and standards to improve the quality of life for citizens and enhance economic security.
The NIST Cybersecurity Supply Chain Risk Management (C-SCRM) program helps organizations manage cybersecurity supply chain risks more effectively by identifying, assessing, and mitigating the risks inherent to digital supply chains, which often run on a complex and interconnected ecosystem of distributed systems.
The C-SCRM program covers the full life cycle, including development, design, deployment, distribution, acquisition, destruction, and maintenance phases. It does so by conducting research, providing resources, and convening stakeholders to help organizations manage the risks to their cybersecurity supply chains.
This is part of an extensive series of guides about the software supply chain.
In this article:
For digital supply chains, cybersecurity risk is the potential damage or disruption that can result from attackers infiltrating vendors, supply chains, products, and services.
Supply chain cybersecurity risk has always existed, but threat actors have sharply increased their attacks in the past several years, prompting warnings of increased risk from government agencies such as NIST, the Cybersecurity & Infrastructure Agency, and The European Union Agency for Cybersecurity, Threat actors have myriad attack avenues, including insider threats at system integrators who abuse their privileges to steal data, and attackers who breach development pipelines at respected software companies to insert malware into a new product release.
Supply chain cybersecurity vulnerabilities negatively impact a company in several ways:
Not only are supply chain vulnerabilities sometimes difficult to ferret out, but the interrelated nature of modern digital supply chains can expose businesses to cascading risks. For example, the recent Log4j incident involved a critical vulnerability used in a very popular open source logging component. Possibly millions of organizations worldwide were impacted, either because Log4j was directly included in their software or indirectly included in a component or device they were using.
NIST defines supply chain risk management as the practice of maintaining security, quality, resilience, and integrity standards for the entire supply chain, including all relevant services and products.
Managing cybersecurity risk in supply chains is a complex undertaking that touches on a wide range of organizational functions and processes. In particular, NIST focuses on:
NIST places C-SCRM at the intersection of supply chain management and information security. Existing cybersecurity and supply chain practices offer a foundation for creating effective risk management programs.
C-SCRM can only be effective if implemented as an enterprisewide activity. The program must involve all tiers, including the organization level, mission or business processes, and information systems. Organizations need to implement the program across the entire system development life cycle.
Risk management processes
Integrating C-SCRM into an overall risk management strategy starts with assessing and identifying applicable risks to determine appropriate response actions. Organizations then use that assessment to build a C-SCRM strategy and implementation plan that documents specific response actions and monitors performance against the plan. There are two key components of this exercise:
Organizations can build a cost-effective strategy for supply chain risk mitigation by identifying the most vulnerable components or systems that can cause the biggest impact if compromised, and where possible, automatically remediate them. This requires the adoption and implementation of advanced security tools. There are seven imperatives for any supply chain risk management solution:
Accuracy: Users need to be confident that their solution will accurately detect and alert them to vulnerabilities without generating false positives.
Zero trust: Solutions should employ a zero-trust approach that requires every request for use or access of resources and data to be authenticated, authorized, and continuously validated for security compliance. In a zero-trust environment, every software is untrusted by default and measures are deployed to verify and secure all resources before access is granted.
Comprehensive coverage: Effective security solutions must integrate with a wide range of platforms and programming languages to maximize the scope of code they can check and to minimize the potential for overlooking flaws and vulnerabilities.
Speed: As the speed of the software development lifecycle (SDLC) accelerates and the volume of development rapidly grows, it becomes increasingly vital to rapidly find and fix vulnerabilities to avoid costly development delays.
Prioritization: The increasing volume of attacks on the application layer and the development process poses a challenge for security tools. Not all vulnerabilities pose a serious threat, and remediating them wastes valuable time and resources that should be focused on addressing more serious threats. Look for solutions that can prioritize which vulnerabilities to tackle in order to optimize your security and best safeguard your codebase.
Remediation: Ideally, security solutions should go further than simply detecting vulnerabilities. Advanced solutions will offer recommendations to fix them, or provide automatic remediation capabilities to repair code at the source.
Shift left/ease of use: It is easier and faster to address vulnerabilities early in the SDLC, and can increase the effectiveness of security processes. Shifting security left in this manner puts the onus on developers to implement these security processes, and many balk at using tools that slow the development process. The key is to find advanced tools that are both accurate, easy to use, and can blend seamlessly into the regular developer workflow.
Top 4 NIST Best Practices for Software Supply Chain Risk Management
NIST issued a compilation of best practices for supply chain security. Here are some of the key best practices:
Since its public launch in early 2020, Mend Supply Chain Defender has detected more than 350 known malicious packages on the Rubygems registry, and more than 1,400 malicious packages on NPM since late 2021.
Reinforce your software supply chain now, by using Mend Supply Chain Defender. Start for free.