Inside Cybersecurity

September 19, 2021

Daily News

NIST’s Boyens: Revised supply chain publication provides acquisition considerations for risk management

By Sara Friedman / May 5, 2021

The National Institute of Standards and Technology has incorporated acquisition guidance for cyber supply chain risk management into the first draft of an influential publication for both government and industry, in response to a shift in industry perspective toward NIST’s role on procurement issues, says the agency’s Jon Boyens.

The SECURE Technologies Act of 2018 played a significant role in NIST’s decision to change the publication to address acquisition and procurement, according to Boyens, who leads NIST’s Cyber Supply Chain Risk Management program. Boyens spoke with Inside Cybersecurity about the changes in the draft first revision of NIST Special Publication 800-161 that was published last week.

Jon Boyens

Jon Boyens, Deputy Chief, NIST’s Computer Security Division

When the original publication was released in 2015, industry did not want NIST “to touch on acquisition and procurement,” Boyens said. “We knew it was a sensitive area that is not really NIST’s bailiwick but things have changed since then.”

Boyens, lead author of NIST 800-161, said there was a significant change with the law to recognize that “supply chain risk management does not equate to acquisition but acquisition is an incredibly important of cyber supply chain risk management. We decided there was a big gap and we needed to address that.”

Boyens said the initial resistance from industry largely came from information technology vendors, but the “different adversarial activities in supply chain attacks” over the years has shown the “writing on the wall” that acquisition and procurement needed to be addressed.

“Integrating C-SCRM considerations into acquisition activities is essential to improving management of cyber supply chain risks at every step of the procurement and contract management process,” the publication says.

NIST 800-161 describes how the process should work:

This life cycle begins with a purchaser identifying a need, includes the processes to plan for and articulate requirements, conduct research to identify and assess viable sources of supply, solicit bids and evaluate offers, to include ensuring conformance to C-SCRM requirements and assessing C-SCRM risk associated with the bidder and the proposed product and/or service offering. After contract award, ensure the supplier satisfies the terms and conditions articulated in their contractual agreement and that the products and services conform as expected and required. C-SCRM considerations need to be addressed at every step in this life cycle.

The NIST publication provides a summary of “where C-SCRM assessments may take place within the various steps of the procurement process” as well as considerations for agencies when it comes to “contractual agreements and contract management.”

Acquisition is one of five success factors highlighted in the publication. The factors are “requisite organizational processes and capabilities to make C-SCRM successful,” the NIST draft says.

Another factor is information sharing, which Boyens said is an important component of the Federal Acquisition Security Council, a new interagency organization with the authority to issue removal and exclusion orders for specific products and services.

The other success factors are C-SCRM training and awareness, measurement and metrics and having dedicated resources.

The new publication also has a key practices section, broken down to three areas: foundational, sustaining and enhancing. Boyens said the section was added in response to requests from departments and agencies who wanted more details on how to implement the C-SCRM approach.

Boyens said, “We look at this as kind of a crawl, walk, run approach. One of the things we discovered when we were talking to departments and agencies is that cyber supply chain risk management on its face can quite often seem so complex that it is debilitating, so complex that they don’t even know where to start. They look at what many of the more mature organizations are doing and they are seeing that they are running. They know that they can’t start running but they don’t know how to start crawling.”

The agency will hold a virtual workshop on May 12 on the publication “to further engage stakeholders by answering questions and gathering comments to ensure that the revised guidance will deliver comprehensive and relevant cyber supply chain risk management practices and guidance.” NIST is also accepting comments through June 14.

Boyens said NIST’s current plan is to release a second draft of 800-161 in September but plans could change based on stakeholder feedback. -- Sara Friedman (sfriedman@iwpnews.com)