NIST releases publication on how businesses can minimize cybersecurity risk

A new publication by the National Institute of Standards and Technology (NIST) outlines a set of risk management techniques for businesses to reduce cybersecurity risk to global supply chains.

The publication, called Key Practices in Cyber Supply Chain Risk Management, addresses the vulnerabilities in the cyber supply chain and offers strategies to minimize them.

“The seed of the problem is that everything is interconnected nowadays,” NIST’s Jon Boyens, one of the draft report’s authors, said. “Products are very sophisticated, and with our globalized economy, companies often outsource the tasks of developing components and code to other companies, involving multiple tiers of suppliers.”

Many recent cyber breaches have been linked to supply chain risks, including Operation ShadowHammer in 2018, which affected up to a million users.

The NIST report outlines eight key practices, from establishing a formal risk management program to collaborating closely with key suppliers. Each best practice is accompanied by a set of recommendations, with guidance on how to apply these recommendations to individual companies and circumstances. It also includes 24 case studies of companies in different economic sectors to show how different companies in different sectors handle cybersecurity.

“Many companies share the same suppliers, but their overall supply chains are still very different,” Boyens said. “To supplement our report, you can look for the case studies that are relevant to your industry.”

NIST is seeking public comment on the draft publication until March 4 and the institute said it will release a final version in the spring.