The National Institute of Standards and Technology has issued the second draft of its federal information technology supply chain risk management report, GCN reports.
NIST outlined 10 practices agencies should exercise in order to minimize risks in IT supply chain systems, GCN’s William Jackson writes.
The list consolidates 21 practices included in the original draft from 2010 and intends to outline commercially-applicable and repeatable practices, Jackson said.
According to the report, supply chain security is included in cybersecurity practices since it includes equipment and software that can be compromised and allow for adversaries to gain access to systems later.
This is a result of increasingly sophisticated attack types and the growing global supply chain, NIST indicates.
Federal agencies should identify the elements, processes and actors in supply chains to protect information and communication technology products and services, the agency said.
NIST suggested limiting supply chain data within the agency, regular supply chain management training and reviews, and the creation of supply chain policies.
The agency is accepting comments on the draft through May 25.