The National Institute of Science and Technology released a new publication this week targeting supply chain risk management (SCRM) in IT procurements. With the complexity of modern technology, it has become easier for bad actors to slip malicious or counterfeit software and hardware into acquisitions, creating significant, unforeseen problems down the road.
The publication – Supply Chain Risk Management Practices for Federal Information Systems and Organizations – is not meant to replace current federal regulations but rather to outline a set of general guidelines that can be tailored to an agency's processes.
Special Publication: Supply Chain Risk Management Practices
To keep up with emerging technological advances, agencies are buying more commercial off-the-shelf products and relying more on the private sector to deliver critical systems.
"The same globalization and other factors that allow for such benefits also increase the risk of a threat event which can directly or indirectly affect the [information and communications technology] supply chain, often undetected, and in a manner that may result in risks to the end user," the document states. "Supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices."
Agencies can mitigate these risks by developing a plan to test, deploy, maintain and retire systems in a manner that ensures those systems are working properly and don't present major security risks.
The document goes into detail about the kinds of relationships agencies can develop with technology providers but notes these should be calibrated based on a risk management approach.
"The cost of requiring system integrators and external service providers to implement ICT SCRM processes and controls should be weighed against the risks to the organization of not adhering to those additional requirements," NIST writes. "This is especially true for those products and services developed for general-purpose application and not tailored to the specific organization's security or ICT SCRM requirements."
As a starting point, NIST recommended four goals to keep in mind while developing a SCRM plan:
- Manage, rather than eliminate risk;
- Ensure that operations are able to adapt to constantly evolving threats;
- Be responsive to changes within their own organization, programs and the supporting information systems; and
- Adjust to the rapidly evolving practices of the private sector's global ICT supply chain.