Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
NIST
Risk & Compliance
Secure Remote Access
Tech Solutions
Threat Landscape
Vulnerabilities

NIST rolls out final C-SCRM guidance to enhance cybersecurity, secure integrity of software supply chain

May 06, 2022
NIST rolls out final C-SCRM guidance to enhance cybersecurity, secure integrity of software supply chain

The National Institute of Standards and Technology (NIST) released Thursday the final version of its foundational C-SCRM guidance document for systems and organizations. The Cybersecurity Supply Chain Risk Management (C-SCRM) document provides directions to enterprises on how to identify, assess, select, and implement risk management processes and mitigating controls across the enterprise to help manage cybersecurity risks throughout the supply chain. 

Titled NIST 800-161 r1 ‘Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations,’ the C-SCRM guidance provides updates on identifying, assessing, and responding to cybersecurity risks throughout the supply chain at all levels of an organization. Among other things, it helps to fulfill parts of the 2021 Executive Order (EO) on Improving the Nation’s Cybersecurity which addresses the increasing software security risks throughout the supply chain.

NIST will issue additional information by May 8 about its software supply chain guidance plans, including review and update procedures. “By that same date, the Secretary of Commerce, in consultation with the heads of other agencies will provide to the President, through the Assistant to the President for National Security Affairs (APNSA), a report that reviews the progress made under this section and outlines additional steps needed to secure the software supply chain,” the agency added.

NIST conducted a review of the pilot programs, consulting with the private sector and relevant agencies to assess the effectiveness of the programs, determining what improvements can be made going forward, and will submit a summary report by May 12, 2022, to the APNSA.

The document offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It also encourages organizations to consider the vulnerabilities not only of a finished product they are considering using but also of its individual components, which may have been developed elsewhere, and the journey those components took to reach their destination. 

The C-SCRM guidance document is not intended to be a one-size-fits-all. Instead, it should be appropriately adapted and tailored to the unique size, resources, and risk circumstances of each enterprise. Enterprises adopting the document may vary in how they implement C-SCRM practices internally content in the guidance, thereby making it the shared responsibility of different disciplines with different SCRM perspectives, authorities, and legal considerations.

The C-SCRM guidance identifies that contemporary enterprises run complex information systems and networks to support their missions. These information systems and networks are composed of ICT/OT products and components made available by suppliers, developers, and system integrators. The controls contained in the publication are built on existing multidisciplinary practices and are intended to increase the ability of enterprises to manage the associated cybersecurity risks throughout the supply chain over the entire life cycle of systems, products, and services.

Operational technology (OT) consists of programmable systems or devices, typically deployed across the critical infrastructure sectors, which interact with the physical environment or manage devices that interact with the physical environment. These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Such systems operate as the backbone of industrial automation using industrial control systems, building management systems, fire control systems, and physical access control mechanisms to control a nation’s power electricity grid, water and wastewater, pharmaceuticals, oil and natural gas, transportation, chemical, pulp and paper, and discrete manufacturing installations.

Enterprises also acquire and deploy various products and services, including custom software for information systems built to be deployed within the enterprise, made available by developers, the NIST document said. It also covers operations, maintenance, and disposal support for information systems and networks within and outside of the enterprise’s boundaries, made available by system integrators or other ICT/OT-related service providers, and external services to support the enterprise’s operations that are positioned both inside and outside of the authorization boundaries, made available by external system service providers, it added.

The C-SCRM guidance said that OT systems possess unique operational and security characteristics that necessitate the application of specialized skills and capabilities to effectively protect them. “Enterprises that have significant OT components throughout their enterprise architecture often turn to specialized service providers for the secure implementation and maintenance of these devices, systems, or equipment. Any enterprise or individual providing services that may include authorized access to an ICT or OT system should adhere to enterprise C -SCRM requirements. Enterprises should apply special scrutiny to ICT/OT-related service providers managing mission-critical and/or safety-relevant assets,” it added.

Systems and components that traverse the supply chain are subject to access by a variety of individuals and enterprises, including suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers, the guidance said. “Such access should be defined and managed to ensure that it does not inadvertently result in the unauthorized release, modification, or destruction of information. This access should be limited to only the necessary type, duration, and level of access for authorized enterprises (and authorized individuals within those enterprises) and monitored for cybersecurity supply chain impact,” it added.

The C-SCRM guidance has been published online to the NIST’s dedicated EO 14028 web-based portal to co-locate it with related EO guidance under NIST’s purview. It also enables updates to reflect evolving guidance without directly impacting SP 800-161, Rev.1, and deliver traceability and linkage with other NIST web-based assets as they move online to encourage dynamic and interactive engagement with stakeholders.

In the lead up to the latest C-SCRM guidance, the NIST has worked with the National Security Agency (NSA), Office of Management and Budget (OMB), Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI) to arrive at a definition for the term ‘critical software.’ The agency published guidance outlining security measures for critical software last July, after consulting with CISA and OMB. By that same date, after consulting with the NSA, NIST published guidelines recommending minimum standards for vendors’ testing of their software source code. 

NIST issued preliminary guidelines by Nov. 8, 2021, based on stakeholder input and existing documents, for enhancing software supply chain security. In early November, the agency ​released the second public draft of its C-SCRM practices for systems and organizations for public comment. The document laid down guidelines for enterprises on how to identify, assess, select, and implement risk management processes. After consulting heads of various agencies by Feb. 6, NIST issued additional guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria. 

Last week, the NIST released an initial public draft that guides how to improve the security of OT systems while addressing their performance, reliability, and safety requirements. The NIST SP 800-82 document provides an overview of OT and typical system topologies, identifies typical threats to organizational mission and business functions supported by OT, describes typical vulnerabilities in OT, and provides recommended security safeguards and countermeasures to manage the associated risks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations