Cyber experts seek clarity on NIST supply chain framework
Cyber experts agree a technology supply chain security framework developed by the National Institute of Standards and Technology will be a useful tool for agencies and industry. They are less sure about what it will look like.
The White House gave few details in the fact sheet it released — following President Biden‘s Wednesday meeting with private sector and education leaders on improving national cybersecurity — other than the guidance will address building and assessing the security of technology like open-source software.
NIST‘s existing Cybersecurity Framework (CSF) includes a supply chain risk management category under the identify function, but there are only five, high-level subcategories. Other NIST publications on the subject are highly technical, and the Cyber Supply Chain Risk Management (C-SCRM) project updated practices earlier this year.
“For me, I was left a little bit frankly confused because there’s already some supply chain stuff out there, though it’s not set up like the NIST CSF,” Malcolm Harkins, chief security officer of Epiphany Systems, told FedScoop. “So I would contemplate that they’re trying to take that existing C-SCRM set of practices, and research and assurance suggestions, and perhaps turn it into something like the CSF.”
The prevailing theory is the new framework will focus primarily on the software supply chain —in light of the recent Microsoft Exchange server attacks, Kaseya ransomware attack and SolarWinds breach — with hardware practices thrown in.
A framework that fleshes out NIST’s security measures for software acquisition would give the government more leverage with providers.
“Open-source vulnerabilities, just in general, are pretty huge, and a lot of the software providers out there use open sources like components,” said Padraic O’Reilly, Pentagon advisor and cofounder of CyberSaint. “So there’s demand for increased transparency around that, and that’s also part of what NIST is working on.”
Harkins wants to see the information supply chain finally addressed by NIST’s framework as well because, if the flow of information is poisoned or altered, it can have cyber consequences.
He likens it to knowing whether meat in a grocery store is safe, which can only be assured if the supply chain of information about the product is secure from the slaughterhouse to the point of sale.
“Historically they’ve stayed with the software side or the hardware side of it,” Harkins said. “I would love to see them expand into the supply chain of information flow because I growingly worry about integrity attacks in the flow of information.”
For its part, NIST isn’t saying much — as it just kicked off the effort.
“We will keep the public updated as we have more to announce,” said a NIST spokesperson. “This effort is separate from the NIST Cybersecurity Framework, but we envision they will be complementary.”
The White House fact sheet listed Microsoft, Google, IBM, Travelers, and Coalition as partners collaborating on the framework. Microsoft and IBM didn’t have anything more to add to the release, and Google did not respond to a request for comment.
Travelers Chairman and CEO Alan Schnitzer called the initiative “an important step in enhancing the nation’s overall cybersecurity,” in a statement.
CEO of Coalition, Joshua Motta, said the cyber insurance company would work with government and industry partners to help formulate the new NIST standards. “[W]e hope to create guidelines on how to build secure technology and assess the security of technology to provide organizations with a foundation for how to minimize their cyber risk,” he said.
Harkins worries the weight big players like Microsoft and Google have in the compute environment might introduce bias into the overall supply chain approach and hopes NIST reaches out to small and midsize businesses like Epiphany. Those businesses are often more innovative because they’re less risk averse and less worried about profit loss, he said.
O’Reilly cautioned the White House’s “aggressive” timeline to have agencies identify their critical software isn’t “terribly realistic,” as only some agencies have started. While those timelines may need to be revisited, there’s no reason NIST shouldn’t be pushed to publish its much-needed framework.
“It’s got to be expedited,” O’Reilly said. “So you can’t have the same timeline you had with the CSF or the questions around measurement.”
Note: this story was updated to include comment from Coalition.