NIST has released a revision of Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1). This document updates guidance on identifying, assessing, and responding to cybersecurity risks throughout the supply chain at all levels of an organization. Among other things, it helps to fulfill NIST’s responsibilities under the 2021 Executive Order (EO) on Improving the Nation’s Cybersecurity which address increasing software security risks throughout the supply chain. That part of the revised publication, Appendix F, covers sections 4(c) and (d) of the EO and is available only on NIST’s EO website HERE.
The publication offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It also encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its individual components — which may have been developed elsewhere — and the journey those components took to reach their destination. The development of this document follows two earlier draft revisions.