NIST gives agencies new guidance to prepare for next SolarWinds-like hack

During the 2020 SolarWinds hack, bad actors were able to access thousands of networks inside and outside government.
coder, developer, programmer, hacker, devops, devsecops, hacking, bug bounty
(Getty Images)

The National Institute of Standards and Technology on Thursday published updated guidance meant to help agencies and organizations protect against cyberthreats in the supply chain, a major focus of the Biden administration’s cybersecurity executive order last year.

The revised publication on cybersecurity supply chain risk management gives acquirers and users of software and other technologies key practices, processes and controls to consider as they look to protect against such threats that can emerge from that tangled web of global suppliers and manufacturers from which companies develop technology products.

“Managing the cybersecurity of the supply chain is a need that is here to stay,” NIST’s Jon Boyens, one of the publication’s authors, said in a statement. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

President Biden’s May 2021 cybersecurity executive order required NIST to issue updated guidance within a year in response to the increase in cyber risks and incidents occurring throughout the software and IT supply chain.


NIST’s new publication “encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination,” the agency said in a release.

For instance, with the notorious late 2020 breach involving SolarWinds’ Orion product, Russian hackers embedded malicious code at the source of the SolarWinds software and then moved upstream to gain potential access to 18,000 customers’ networks, including those of numerous federal agencies.

“It has to do with trust and confidence,” said NIST’s Angela Smith, an information security specialist and another author of the guidance. “Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response.”

Building off of previous guidance on supply chain risk management, the new publication has enhanced its view of supply chain risks to include source code and retailers that carry it, acknowledging in a release that “cybersecurity risks can arise at any point in the life cycle or any link in the supply chain.”

In March, the Office of Management and Budget issued a directive requiring agencies to comply with NIST’s earlier guidance on software supply chain security and its Secure Software Development Framework.


Billy Mitchell

Written by Billy Mitchell

Billy Mitchell is Senior Vice President and Executive Editor of Scoop News Group's editorial brands. He oversees operations, strategy and growth of SNG's award-winning tech publications, FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. After earning his journalism degree at Virginia Tech and winning the school's Excellence in Print Journalism award, Billy received his master's degree from New York University in magazine writing while interning at publications like Rolling Stone.

Latest Podcasts