NIST Issues Updated Cybersecurity Supply Chain Risk Management Guidance

The National Institute of Standards and Technology (NIST) released an updated version of the cybersecurity supply chain risk management (C-SCRM) guidance to aid businesses in developing an effective plan for identifying, evaluating, and responding to cybersecurity threats in all the supply chain.

Cyber threat actors are progressively targeting the supply chain. A successful attack on a provider can permit the attacker to compromise the networks of all firms that use the product or service, just as the situation with the 2021 REvil ransomware attack on Kaseya. The threat actors exploited a problem in Kaseya VSA software and the attack affected as many as 1,500 companies.

The Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1) publication is the product of a several-year process that entailed the release of two draft copies of the guidance. The modified guidance could be employed to identify, evaluate, and act in response to cybersecurity threats throughout the supply chain at all levels of a company.

Although organizations must take into account vulnerabilities in the finished product they are thinking of using, the guidance additionally urges them to look at the safety of components of the project, which may consist of open source code or components created by third parties. A product or device might have been designed in one country, produced in another, and combined parts from several other countries, which consequently may have been put together from components supplied by disparate companies. Malicious code might have been added into components, and vulnerabilities could have been introduced that can be exploited by cyber attackers. The guidance urges companies to think of the journey that each component took to get to its destination.

The guidance is targeted at product acquirers and end-users, software programs, and services. Because the guidance is meant to be utilized by an extensive audience, user profiles are provided that make clear which portions of the guidance are most appropriate for every group. The publication includes cybersecurity supply chain risk management (C-SCRM) into risk management activities by using a multilevel, C-SCRM-specific strategy, such as guidance on the creation of C-SCRM strategy implementation plans, C-SCRM programs, C-SCRM policies, and risk testing for products and services.

The guidance may be employed to develop cybersecurity supply chain risk considerations and specifications into acquisition procedures and make a program for continually checking and handling supply chain risks.

Handling the cybersecurity of the supply chain is a requirement that will remain,” stated NIST’s Jon Boyens, an author of the guidance. When an agency or company hasn’t began on it, this is a detailed tool that could take you step by step, and it can allow you to do so right away.


About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at