The National Institute for Standards and Technology (NIST) is asking for the public’s help in updating one of its flagship cybersecurity guidelines and informing a new initiative on supply chain security.
In a request for information released on Friday, the agency said it was seeking to update its cybersecurity framework to account for new digital security risks, technologies and resources. At the same time, it is launching a new project, the National Initiative to Improve Cybersecurity in Supply Chains, which is dedicated to “identifying tools and guidance for developers and technology providers, as well as only performance-oriented guidance for those acquiring such technology”. Both projects are expected to involve a similar supply chain research focus.
“The Cybersecurity Framework was last updated in April 2018. Much has changed in the cybersecurity landscape in terms of threats, capabilities, technologies, education and workforce , and the availability of resources to help organizations better manage cybersecurity risks,” the agency wrote. “This includes increased awareness and emphasis on cybersecurity risks in supply chains, including a decision to launch NIICS.”
Among the questions that NIST seeks to answer is whether the current framework enables simple and effective risk communication between organizations and their supply chain partners, customers, and insurers; if restrictions on resources, information sharing or manpower make it impossible to adopt or implement the guidance of the framework; and ways to better align the updated framework with complementary resources such as the Risk Management Framework, Secure Software Development Framework, Industrial Control System Cybersecurity Guide, and others.
As part of the National Initiative to Improve Cybersecurity in Supply Chains, the agency wants to know the most acute security challenges that organizations face in their supply chains and how to build on them. on related initiatives such as its software security initiatives that emerged as a result of President Joe Biden’s decision. executive decree on cybersecurity last year. NIST is also interested in any narrowly applied program on software or hardware assurance that may have broader application for securing the digital integrity of the global supply chain.
The agency will accept written or emailed comments from the public for the next 60 days.