The National Institute of Standards and Technology is extending the comment period for the second draft of its publication intended to help federal departments manage supply chain risks for federal information systems.
The deadline is now May 25.
NIST Interagency Report (NISTIR) 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” is based on security practices and procedures published by NIST, the National Defense University and the National Defense Industrial Association and then expanded to include supply chain implications.
The document provides a set of 10 practices intended to help federal departments and agencies manage the risk associated with the supply chain when purchasing and implementing information and communications technologies products and services. The second draft, issued on March 23, 2012, reflects extensive revisions based on comments from the public on the first draft released in June 2010.
The new draft narrows the 21 prescriptive practices in the first draft down to 10 overarching practices that describe what is necessary for risk mitigation. ICT supply chain risk management is described in NISTIR 7622 as a multidisciplinary practice with a number of interconnected enterprise processes that, when performed correctly, will help departments and agencies manage the risk of using ICT products and services.
The publication calls for procurement organizations to establish a coordinated team approach to assess the ICT supply chain risk and to manage this risk by using technical and programmatic mitigation techniques.