Just last week, the National Institute of Standards (NIST) published the first draft of a new guidance on Supply Chain Security for Federal Information Systems. This publication is titled NISTIR 7622: Piloting Supply Chain Risk Management for Federal Information Systems.
This document actually has a lot of preliminary information in its 86 pages, but seems aimed to do two things: 1) define Supply Chain Risk in terms of all of its components, which pulls in other FIPS and security standards previously published by NIST, and 2) clearly stating that this document is the first concrete step in addressing the portions of the Comprehensive National Cyber Security Initiative (CNCI) concerned with Supply Chain management (Initiative #11). This guidance will be used in several pilot programs in supply chain management of federal information systems.
The direction in this document is primarily aimed at procurement officials and organizations. Players involved in Supply Chain Risk Management are indicated in the diagram above. These steps include requiring trustworthy supply chain sources, trustworthy manufacturing and design sources, contingency supply plans in case of compromise or losses, and activities called ‘Defensive Design’. Defensive design is the assumption that there are security vulnerabilities in the interfaces between sourced elements and software in an integrated system.
NISTIR 7622 also talks about programs for supply chain protection, which is an element of the manufacturing process of the Acalis Secure Processor. It also discusses the implementation of security configurations, which is the primary benefit of the Acalis Sentry Security Server. Other parts of the guidance talk about treating supply chain ‘incidents’ like security breaches with investigations and root cause analyses.
Overall, this NIST guidance offers some direct evidence of Government concern about supply chain, component, and design tool sourcing for critical infrastructure systems in the United States. More and more, a competitive aspect of a company’s product offering will be the soundness of the design environment and the security program in place to make sure there is no tampering with the product or the process.
As supply chain security is one of the primary value offerings of the Acalis Secure Processor and peripherals, it is something we have anticipated and take very seriously.