Press "Enter" to skip to content

NIST’s supply chain recommendations

Let’s borrow liberally from the National Law Review

The Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) jointly published a new resource as part of their ongoing efforts to promote awareness of, and help organizations defend against, supply chain risks. The publication, Defending Against Software Supply Chain Attacks, provides recommendations for software customers and vendors as well as key steps for prevention, mitigation and resilience of software supply chain attacks.

Two key recommendations:

NIST recommends establishing a formal, organization-wide cyber supply chain risk management (C-SCRM) program to ensure that supply chain risk receives attention across the organization, including from executives and managers within operations and personnel across supporting roles.

NIST recommends that organizations develop and implement a vulnerability management program to scan for, identify, triage, and mitigate existing software vulnerabilities.

Why do we care?

NIST’s recommendation is to look for vulnerabilities.  Let’s pair that with the recent UK Cyber Center’s recommendation to turn automatic patching on for devices.     The future of patch management looks like just scanning to make sure patches are happening, not acting as a blocker to slow the process down with any service verification.      Handle exceptions.   

Think of this in the context of a business process layer IT services company.  You care a lot less about implementing things like patch management, and more about just ensuring you handle exceptions.    That’s a different offering for sure than the “traditional” managed service.