The revised publication provides key practices that can be adopted by organizations as they build up their capability to manage cybersecurity risks across and within supply chains and encourages them to look at the vulnerabilities associated with the finished product and its components, NIST said Thursday.
“Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response,” said Angela Smith, an information security specialist at NIST and one of the publication’s authors.
The guidance underscores the importance of risk monitoring and seeks to help organizations build into their acquisition processes requirements and considerations for cyber supply chain risks.
The publication also looks at potential cyber vulnerabilities within the sources of code, for instance, as it recognizes the possible emergence of cyber risks at any point or link in the supply chain.