Skip to content ↓ | Skip to navigation ↓

The National Institute of Standards and Technology (NIST) has updated the guidelines for Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations and published the draft in efforts to seek feedback before the public comment period ends July 18, 2014.

“Between the growing sophistication and complexity of modern information and communication technology (ICT) and the lengthy and geographically diverse ICT supply chains, important federal information systems are at risk of being compromised by counterfeits, tampering, theft, malicious software and poor manufacturing practices,” NIST stated. “A counterfeit chip could cause a computer system to break down; malware could lead to loss of critical information.”

The publication provides guidance to federal departments and agencies on procurement security issues by providing strategies to identify, assess, and mitigate ICT supply chain risks at multiples levels in the process, and is intended to be applied to “high-impact systems” as identified in NIST’s Standards for Security Categorization of Federal Information and Information Systems guidelines.

“NIST recommends that evaluating ICT supply chains should be part of an organization’s overall risk management activities and should involve identifying and assessing applicable risks, determining appropriate mitigating actions, and developing a plan to document mitigating actions and monitoring performance,” NIST explained. “The plan should be adapted to fit each organization’s mission, threats and operating environment, as well as its existing ICT supply chains.”

The guidelines were revised after an extensive review and comments period that sought input from the ICT community, and NIST is seeking further feedback on key changes, including:

  • Increased emphasis on balancing the risks and costs of ICT supply chain risk management processes and controls throughout the publication
  • An ICT supply chain risk management controls summary table that provides a baseline and maps to NIST Special Publication 800-53 Revision 4 High baseline controls in Appendix D
  • An annotated ICT Supply Chain Risk Management Plan Template in Appendix H

Comments may be submitted by email to using the template on the web page.

Read More Here…