The private sector is usually in the fortunate position of being able to ignore the National Institute of Standards and Technology (NIST)’s guidance as new special publications come out and affect change in the public sector. However, the latest draft on addressing supply chain security epitomizes a trend we are seeing in the industry. Everyone – public, private, non-profit, etc. - should heed this new guidance as a harbinger of what is to come.
Information systems have rapidly expanded in terms of capability and number, permitting an increased reliance on outsourcing and commercially available products. This has resulted in a loss of both visibility and understanding for how acquired technology is developed, integrated and deployed. The information void extends into the processes, procedures, and practices used by supply chain contributors to assure the integrity, security resilience, and quality of the products and services. This vacuum of data decreases the control enterprises have when attempting to effectively manage the inherited risks born out of the supply chain.
How to address the security of the supply chain is a conundrum facing today’s leading enterprises. Gartner offered an analysis of the threat in the Maverick Research: Living in a World Without Trust: When IT's Supply Chain Integrity and Online Infrastructure Get Pwned, but included limited actionable suggestions for dealing with the danger.
However, the recently released draft guidance from NIST published as special publication 800-161, offers a practical framework of controls for integrating supply chain security into an existing risk management program - appropriate for any mature organization. In tomorrow’s webinar, “Something the Feds Got Right: Software Supply Chain Security,” Chris Wysopal will focus on the controls that are most applicable to enterprises working to secure their software supply chain.
As leading enterprises and security-conscious organizations focus on securing their supply chain, we are going to see more guidance and even mandates in the future. Getting ahead of this curve will be crucial not just for security teams, but for software suppliers.