The push for supply chain risk management standards is growing across the government. The Defense Department’s Cybersecurity Maturity Model Certification (CMMC) requirements that are under review may get most of the attention, but the National Institute of Standards and Technology, the ISO certification organization and several other efforts also are out there muddying the supply chain waters.
To help add some clarity to this growing body of water, NASA SEWP partnered with experts to compare the NIST and ISO standards.
Joanne Woytek, the program director for NASA SEWP, said this crosswalk effort will help agencies and vendors alike to have confidence in the technology products and services they are buying.
“We had this ISO standard that was sitting out there and it was getting a little bit of usage. We were looking at what this was doing and realized that people were hearing from many different areas with this is going on, other things going on, and people were being told to follow this, you should follow that so what do they follow?” Woytek said in an interview with Federal News Network. “There is a goodness that comes out of the ISO standard that can make their life easier, and what are the standards out of NIST that matches that? These sorts of questions were out there in our minds so we decided to put a group together that looked into that and decided to see if there was a match to what NIST is looking at and to what this ISO standard looks at to help inform our customers.”
The working group made up of government and industry compared the Open Trusted Technology Provider Standard (OTTPS) that makes up ISO 20243 and NIST Special Publication 800-161.
Woytek said what the working group found was pleasantly surprising.
The crosswalk showed that there was significant overlap of five of 12 controller enhancements as well as 75%-89% of the risk controls.
“We have put in quite a bit of effort into working with Open Group and this ISO standard and we felt that that there was — it was something worth pursuing. But as you know, with any standard, if you don’t have a customer who wants it, industry is not going to try to get certified. If nobody wants to be certified, who cares? Why spend the money? So you have the chicken and egg question of how do you get things started. So over the past few years, we’ve been slowly building up [to mostly] talk with our contract holders and through presentations and occasionally listening to customers about this ISO standard,” she said.
The O-TTPSs ISO 20243 supply chain risk management (SCRM) standards for “maliciously tainted and counterfeit products” provides some measure of risk management that agencies can use to satisfy certain portions of NIST 800-161 and NIST IR 7622.
The ISO SCRM standards map to 75%-89% of the risk controls indicated in NIST IR 7622.
The ISO SCRM standards directly addresses five of the 12 supply chain management control enhancements.
The ISO SCRM standard satisfies nine of the 12 supply chain management control enhancements and compliments two of the remaining three controls.
There is one particular supply chain management control enhancement control that ISO SCRM cannot satisfy and does not address.
The ISO standards are consistent in purpose and intent with all of the emergent federal policy materials and guidelines that have been proposed or are in draft format.
Woytek said the crosswalk also will help with a longer-term goal of improving the supply chain efficacy of all products on SEWP.
“My initial goal was to get to a point where I could actually have a website about it. That happened a few years back where there were enough companies that were registered and certified on SEWP under the ISO standard that we can put up a site,” she said. “My next goal was to get enough companies that it would make sense for us to tell our customers, ‘this is something you might want to consider as a best practice as you decide on who gets an order.”
Woytek said 52 of 140 companies under SEWP V have met the ISO standard.
“Now we have the ability to say to our customers, ‘Look, this meets NIST standards or the NIST framework that relates to these areas of concern.’ It’s another reason why you should consider doing this as part of your overall decision making of which company you’re going to order against,” she said. “By doing that, you are bringing it as a requirement and then the companies will be motivated to get certified to make sure that they follow those practices. That will improve the supply chain. That’s our goal is to get to that point of making this a standard that our companies are looking to certify against to make sure that they’re doing the best they can with supply chain security.”
NASA SEWP is hosting an industry day on Oct. 20 to discuss the crosswalk, the ISO and NIST standards.
NASA SEWP isn’t the only agency to require vendors to meet OTTPS standards. The Department of Homeland Security added this certification to the FirstSource III request for proposals.
Woytek said she expects the use of OTTPS and ISO standards to increase as agencies and vendors continue to understand supply chain risks and how to mitigate them. She said NASA SEWP already is planning for the sixth version of the contract and it may well be a requirement to be ISO certified to bid.
“I think the white paper allows us to have more conversations and to go beyond the ISO standard. Now, we now have a group of people that have gotten more involved in this standard and the NIST framework and understand what that framework means and where it applies,” she said. “We would like to be to our customers and to industry as understanding how different arenas within the supply chain work. This is a good example of how we have done that matching up one piece of the puzzle to five other pieces of the puzzle.”