The National Institute of Standards and Technology (NIST) has condensed its recommendations for securing the federal IT supply chain, deciding to focus on core elements around secure and reliable information and the communication systems used to transmit it.
The institute found that government, like many private businesses, increasingly relies on off-the-shelf hardware and software to save costs and speed up implementation. However, government often lacks an in-depth understanding of the supply chain and its associated risks, exposing itself to the risks of malicious software, counterfeit materials, stolen information, and others, NIST said.
Guidelines in a new NIST draft report, “National Supply Chain Risk Management for Federal Information Systems,” provide reasonable steps that many federal agencies can take to secure supply chains. The 10 steps featured are a narrowed focus compared to the 21 practices from the original draft, which was first released in 2010.
“Federal agency information systems are increasingly at risk of both intentional and unintentional supply chain compromise due to the growing sophistication of information and communications technologies and the growing speed and scale of a complex, distributed global supply chain,” the report said. NIST also noted that it is “increasingly difficult for federal departments and agencies to understand their exposure and manage the associated supply chain risks.”
The recommendations come out of existing practices but are not limited to procurement. They are also not meant to be something applied to every situation and then left alone. The report says security must be an active process in governmental bodies.
The recommended management practices are:
- Identify the supply chain elements, processes, and actors. Knowing the “who” and “what” for your supply chain to help determine the information around incidents and exposure.
- Limit access and exposure within the supply chain. This practice is about limiting access and providing only what access is necessary to complete a job. The step also includes monitoring access.
- Create and maintain the provenance of elements, processes, tools, and data. Records of origin and changes to elements under the control of acquirers, suppliers, and other parties should be kept to understand goods and who has access to them.
- Set strict limits on information-sharing. This is to ensure that information only goes to those who need it to perform their work and asks bodies to set up a controlling policy for information sharing.
- Perform supply chain risk management awareness and training. One key and somewhat overlooked factor is training. NIST said training is the backbone of safety and recommends educating personnel on policy, procedures, applicable management, operations, and technical controls and practices.
- Use defensive design for systems, elements and processes. Defensive design is used to identify and react to incidents in technical and organizational activities that could result in adverse supply chain events. This includes very complex items as well as simple concepts like using multiple equipment types, such as routers from multiple manufacturers, to prevent a single hack shutting down an entire system.
- Perform continuous integrator review. This is to ensure that defensive measures have been deployed, are functioning, and are up to the task at hand.
- Strengthen delivery mechanisms. This covers both physical and information deliveries, hardware and software, and is recommended to be looked at regularly. Delivery-based compromise can hit anywhere in the supply chain or life cycle, so multiple protections should be used every step of the way.
- Assure sustainment activities and processes. This includes maintenance, upgrades, patches, replacement, removal and other similar activities that keep systems operational, functional, and secure.
- Manage disposal and final disposition activities throughout the system or element life cycle. Disposal can also occur at any point in the life cycle, and poor disposal of items can easily facilitate unauthorized access to systems. Those who do your disposal should be knowledgeable of supply chain procedures and potential threats.
The 91-page draft can be found here
. - Geoff Whiting