Dave Nyczepir
Cyber experts agree a technology supply chain security framework developed by the National Institute of Standards and Technology will be a useful tool for agencies and industry. They are less sure about what it will look like.
The White House gave few details in the fact sheet it released — following President Biden‘s Wednesday meeting with private sector and education leaders on improving national cybersecurity — other than the guidance will address building and assessing the security of technology like open-source software.
NIST‘s existing Cybersecurity Framework (CSF) includes a supply chain risk management category under the identify function, but there are only five, high-level subcategories. Other NIST publications on the subject are highly technical, and the Cyber Supply Chain Risk Management (C-SCRM) project updated practices earlier this year.
“For me, I was left a little bit frankly confused because there’s already some supply chain stuff out there, though it’s not set up like the NIST CSF,” Malcolm Harkins, chief…