Officials from the National Institute of Standards and Technology (NIST) and the Department of Defense (DoD) previewed their agencies’ latest efforts on supply chain security guidelines at the CyberCon 2019 conference today.
NIST, which has been issuing supply chain security guidance since at least 2015, is working on an interagency report to clarify best practices and provide case studies on supply chain security, said Jon Boyens, acting deputy chief of the computer security division at the agency.
Protecting against adversaries, he explained, is the often the most appealing part of supply chain defense but understanding the nuances and broader risks – such as the difference between a threat and a vulnerability – deserves more attention.
“In some ways, we are our own worst enemies. We want all of the bells and whistles…but security can come last when it comes to the Federal acquisition system,” Boyens said.
Meanwhile, DoD is also working on supply chain best practices for public release. Michele Iversen, DoD’s Deputy Chief Information Officer (CIO) for Cybersecurity, said that the agency is working toward an understanding of how to “do [supply chain] risk management across the broad spectrum of technologies and mission programs” within DoD.
“We are looking at a technology right now where the company was compromised and had a big cybersecurity vulnerability …[but] what do the companies need to do for their due diligence to be able to gain our trust again,” Iversen asked.
DoD’s forthcoming best practices, the deputy CIO hinted, will help answer those supply chain and acquisition questions. Iversen credited the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act with aiding the push for Federal acquisition supply chain security.