Supply chain risk management is one of a number of areas requiring additional improvement and collaboration within a new framework aimed at helping critical infrastructure owners and operators better protect their assets from cyber attacks, the National Institute of Standards and Technology (NIST) says in a roadmap that accompanies the Cybersecurity Framework.
Organizations have been focused on internal risks but external risks are also a problem, NIST said in its Roadmap for Improving Critical Infrastructure Cybersecurity.
“Supply chain risk is an essential part of the risk landscape that should be included in organizational risk management programs,” according to the roadmap. “Although many organizations have robust internal risk management processes, supply chain criticality and dependency analysis, collaboration, information sharing, and trust mechanisms remain a challenge.”
The Obama administration released the framework last week after a year of work by NIST, the Department of Homeland Security, and a slew of stakeholders in the private and public sector helped shape the document. Use of the framework is voluntary but it is designed to bring together the best existing practices, standards and guidelines to help organizations better manage their cyber security risks.
The administration and Congress are looking for ways to incentivize the use of the framework. Senior administration officials said they expect the market to develop the best incentives for using the framework.
“There’s an enlightened self-interest here that we’re counting on with regard to businesses’ interest in improving their cyber security,” one official said during background teleconference with media. “And part of making that business case is providing information to inform their risk assessment.”
NIST played the role of “convener” in coordinating the process that led to the development of the framework. The roadmap lays out further areas that need development, alignment and collaboration as part of future iterations of the framework, which NIST describes as a “living document.”
In the coming months NIST will convene workshops around the various other areas that need additional attention. It says that the standards around supply chain risk are fragmented and need further attention.
“Supply chain risk management, especially product and service integrity, is an emerging discipline characterized by diverse perspectives, disparate bodies of knowledge, and fragmented standards and practices,” NIST said in the roadmap. “Increasing adoption of supply chain risk management standards, practices and guidelines requires greater awareness and understanding of the risks associated with the time-sensitive interdependencies throughout the supply chain, including in and between critical infrastructure sectors [and] subsectors.
Future activities with stakeholders include having discussions around supply chain risk management, mapping existing standards and practices here to the framework. NIST also wants to identify challenges to adopting the framework and better enable adoption by understanding the key challenges to supply chain risk management.