Supply chain highlighted in Risk Management Framework update
Supply chain risks are getting new attention in an updated risk management framework document from the National Institute of Standards and Technology. NIST’s Risk Management Framework for Information Systems and Organizations — A System Life Cycle Approach for Security and Privacy was first published in 2010, updated in 2014 and is getting a refresh right now, with the standards agency seeking comment from the public and stakeholders.
Previous editions of Special Publication 800-37 have mentioned supply chain as one of numerous risks organizations face in working with external partners, but in the new revision, supply chain risks get special attention. The document advises that information system managers integrate supply chain risk management into their overall risk management outlook to address “untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices” throughout the systems development lifecycle.
