NIST Releases Revised Cybersecurity Supply Chain Risk Management Guidance

The National Institute of Standards and Technology (NIST) posted a revised cybersecurity supply chain risk management (C-SCRM) guidance to support companies in creating an efficient system for determining, examining, and solving cybersecurity problems all through the supply chain.

Cyber threat actors are targeting the supply chain even more. One successful attack could let the threat actor breach the systems of all businesses that utilize the product or service, like what happened with the 2021 REvil ransomware attack on Kaseya. The threat actors took advantage of a flaw in Kaseya VSA software and the attack impacted approximately 1,500 organizations.

The Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1) publication took several years to create two draft editions of the guidance. The revised guidance may be utilized to determine, examine, and act in response to cybersecurity challenges all through the supply chain at all stages of a firm.

Even though companies ought to take into consideration vulnerabilities in the completed product they are looking at using, the guidance likewise encourages them to think about the protection of parts of the project, which might involve open source code or components made by third parties. A product or gadget may have been developed in one nation, made in another, and integrated components from a number of other nations, which subsequently might have been made from pieces given by disparate producers. Malicious code might have been integrated into parts, and vulnerabilities could have been presented that may be taken advantage of by cyber attackers. The guidance motivates businesses to look at the journey that each component took to arrive at its destination.

The guidance is geared at product acquirers and users, software applications, and solutions. Given that the guidance is supposed to be utilized by a large audience, user profiles are included to reveal which segments of the guidance are most pertinent for every group. The publication talks about the combination of cybersecurity supply chain risk management (C-SCRM) and risk management activities through implementing a multilevel, C-SCRM-specific method, which includes guidance on the design of C-SCRM strategy implementation plans, C-SCRM programs, C-SCRM guidelines, and risk tests for products and services.

The guidance could be employed to create cybersecurity supply chain risk concerns and prerequisites into purchase steps and develop a plan for consistently tracking and controlling supply chain risks.

Taking care of the cybersecurity of the supply chain is essential, explained NIST’s guidance author Jon Boyens. In case an agency or business has not yet started on it, this is a complete program that can take you by the hand, and it could enable you to do so quickly.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at