Telecommunications Industry Association (TIA) QuEST Forum Trusted Network Summit

Remarks as prepared.

Hello and thank you so much to everyone with the TIA QuEST Forum for inviting me to speak to you today.

I am pleased to be part of a lineup that includes strong representation of women in technology, and happy to join Keri Gilder and Deepti Arora as a keynote speaker. Your panels also include an interesting cross section of experts and organizations. I am sure you will have fruitful discussions today.

The goals of the TIA QuEST Forum really resonate with me, as they have much in common with NIST’s mission to promote innovation and industrial competitiveness. Building trust in technology is also at the heart of what we do, and I will talk a bit more about that shortly.

First, I would like to emphasize the importance of standards. As the under secretary of commerce for standards and technology and the director of NIST, ensuring U.S. leadership in international standards development is a top priority of mine. And the private sector led approach to standards is an integral part of U.S. technology leadership.

I cannot overstate the importance of coordination and cooperation with the private sector on standards development, as well as the importance of international cooperation. NIST and the rest of the U.S. government are ready to work with all of you to ensure that standards incorporate the highest technical rigor.

The recently enacted CHIPs and Science Act of 2022 emphasizes how critical technical standards are to economic development. The act is a transformative piece of legislation for the nation, providing $50 billion over five years to the Department of Commerce and to NIST. 

Thirty-nine billion will be used to implement an incentives program aimed at increasing domestic semiconductor manufacturing capacity. Eleven billion will go to research and development to push forward U.S. innovation in this field and to cement those innovations in the U.S. for our future economy.

We are working hard to deliver on this program, and if you would like to learn more and get involved, I encourage you to visit chips.gov. There you can read our strategy and find the most recent updates on any guidance or plans.

NIST also supports international standards development through educational initiatives that have the potential to foster the next generation of standards professionals.

We recently made five awards totaling $500,000 to support standards education in undergraduate and graduate curricula. This was our largest single annual investment since the program began a decade ago.

NIST also directly supported the October publication of the Bureau of Industry and Security Interim Final Rule. This Interim Final Rule will restore a regulatory environment that is more conducive to U.S. industry participation and leadership in international technology standards.

I know from personal experience that standards work is difficult — yet incredibly rewarding. It takes technical competence, accurate data, patience, strong communication, solid negotiation skills, and in many cases — diplomacy.

It takes a commitment to not only achieving results, but to balancing the needs of many stakeholders.

So I congratulate all of you for recently introducing the information communication technology industry’s first process-based standard, SCS 9001. I am pleased to know that this comprehensive set of control measures aligns with related NIST documents and frameworks. And I would like to thank the NIST experts who supported that effort, in particular Jon Boyens and Angela Smith.

Trust

At NIST, we have a compelling mission to enhance innovation and competitiveness. And from a cybersecurity perspective, we typically talk about our purpose being to cultivate trust in technology and between organizations. 

We seek to achieve our purpose by advancing cybersecurity and privacy standards and guidelines, technologies and measurements. 

This trust is built not just by producing the world’s leading standards, guidelines, and other resources. It is very much built by engaging in a process that is open, transparent, inclusive and collaborative across ALL stakeholders.

Trust is the anchor for our work and the way we approach it. 

We also believe that the development and use of standards and related conformity assessment procedures is key to cultivating trust. And this is why the work TIA is doing to build trust in the ICT supply chain is so very timely and important to all stakeholders.

NIST and C-SCRM

When a supply chain is compromised, its security can no longer be trusted, whether it involves a chip, laptop, server or other technology.

Organizations are increasingly at risk of cybersecurity compromises in their supply chains. Many of the same factors that decrease cost, enable interoperability, foster rapid innovation, and provide other benefits, also increase the cybersecurity risks in supply chains. 

Managing cybersecurity risks in supply chains requires organizations to ensure the integrity, security and resilience of their supply chains as well as the products and services that transit that chain. 

For well over a decade, NIST’s Cybersecurity Supply Chain Risk Management program has worked with domestic and foreign industry, academia and various governments. Our work has focused on identifying and evaluating effective technologies, tools, techniques, practices and standards that help both public and private organizations manage the cybersecurity risks in their supply chains. 

More recently and spurred on by an Executive Order to improve the nation’s cybersecurity, NIST has started to focus on researching and providing guidance on the development and management of software in the supply chain. 

Additionally, last year we announced the National Initiative to Improve Cybersecurity in Supply Chains, or NIICS. Through this initiative, NIST will research and provide guidance on the development and management of hardware and services throughout the supply chain. 

Many of our current and future work in hardware and software assurance are included in this initiative, such as our work on trusted devices and the secure development of software and hardware.

To drive adoption and use of cybersecurity supply chain standards and practices, NIST’s National Cybersecurity Center of Excellence, or NCCoE, is collaborating with vendors on a project to secure hardware devices. We have also recently announced collaborative work in the NCCoE focused on the secure development of software.

Though quite often NIST’s work is specific to address cybersecurity risks in supply chains, there is a clear need to build supply chain guidance into broader, existing efforts. One example of this is the update of the NIST Cybersecurity Framework. Many stakeholders have encouraged us to further integrate cybersecurity supply chain risk management into the framework version 2.0, which is being developed now.

And of course, we will be addressing supply chain risks as part of NIST’s work under the CHIPS and Science Act and expanding our work in developing secure and trustworthy hardware.

Once again, thank you for giving me this opportunity to speak to you today.

I wish you all a productive meeting and encourage you to reach out to NIST to see how we might work together.