NIST launches supply chain security framework effort with top tech firms

Major U.S. technology firms and other businesses are promising to work with the Biden administration on a new supply chain security framework, among other cybersecurity commitments announced after meeting with the president and top cabinet officials at the White House yesterday.

The National Institute of Standards and Technology will lead the work on a new framework “to improve the security and integrity of the technology supply chain,” the White House announced yesterday. Microsoft, Google and IBM, as well as insurance firms Travelers and Coalition, committed to working with NIST on the new project, according to the White House fact sheet.

The NIST project will help “build and assess secure technology, as well as evaluate other technology including open-source software,” according to the Commerce Department. The agency said the private sector will be intimately involved in the work, as has been the case with past frameworks for cybersecurity and privacy.

“The process aims to reflect lessons learned from the past and current joint efforts to improve the way in which cybersecurity risks are managed — especially as they relate to supply chains involving smaller organizations, which frequently face special cybersecurity-related challenges,” Commerce said. “From the outset, NIST will include a special focus on promoting the development and adoption of international standards that will lead to global use of the approaches and solutions developed as a result of this partnership.”

Terry Halvorsen, the former Defense Department chief information officer and now IBM’s general manager for the federal market, said the NIST work “will get everyone focused on the right steps to begin the journey” on a supply chain framework. IBM Chief Executive Arvind Krishna was among those who participated in the White House meeting.

Halvorsen referenced analysis already done by the public-private Information and Communications Technology Supply Chain Risk Management task force, as well as work done by other groups on supply chain security.

“Pull that together and start laying out, ‘Okay, here’s the priority set of things that need to be done first, here’s the next set of things that need to be done, here are some timelines that we’re going to strive for to get that done, and here’s how we’re going to structure this so that we have better cooperation between industry and government,’” Halvorsen said in an interview with Federal News Network.

Halvorsen also predicted the framework would be used as “factors in how a business is evaluated” by the government.

One of the major issues the NIST work could address up front is the security of microelectronics and microchips, he added.

“I think they’re the two most critical areas,” Halvorsen said. “When you think about microelectronics, microchips, then you start to think about the areas that I think the president’s keenly interested in, which is the national infrastructure, including all of our communications and networks, in addition to water supplies, power supplies . . . they’re just key parts of how those systems work.”

The administration also announced the natural gas pipeline sector will participate in the Industrial Control Systems Cybersecurity Initiative. The initiative began earlier this spring with the electricity sector. The White House says more than 150 electricity utilities representing 90 million residential customers are in the process of deploying control system cybersecurity technologies as part of the program.

“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said at the meeting. “So I’ve invited you all here today because you have the power, the capacity, and the responsibility, I believe, to raise the bar on cybersecurity.”

Last month, President Biden issued a new National Security Memorandum outlining a plan to develop voluntary cybersecurity goals for owners and operators of critical infrastructure. But the administration also hinted at the potential for those goals to become requirements.

“We want to work with the private sector and Congress to ensure these standards are adopted across the board,” a senior administration official told reporters prior to the meeting. “In other words, ‘Heads up. This is what we think is reasonable as a threshold, since you’re an owner and operator of critical infrastructure. We’re going to work to make sure that these standards are adopted across the board because we as the government owe that to the citizens we serve. But we’d love for you to get a head start and get moving.’”

After the meeting, companies also pledged to make investments in cybersecurity advancements and education. Google said it would invest $10 billion over five years to “expand zero-trust programs, help secure the software supply chain, and enhance open-source security,” the White House said. Meanwhile, Microsoft plans to invest $20 billion over five years “to accelerate efforts to integrate cyber security by design and deliver advanced security solutions.”

Apple said it would work with its suppliers “to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.”

IBM said it would train 150,000 people in cybersecurity skills over the next three years and establish “Cybersecurity Leadership Centers” at Historically Black Colleges and Universities. Meanwhile, Amazon announced it plans to make available to the public at no charge the same security awareness training it offers its employees.

The meeting also yielded cybersecurity pledges from cyber insurance companies. Resilience announced it will require policy holders “to meet a threshold of cybersecurity best practice as a condition of receiving coverage,” while Coalition said it would make its risk assessment and continuous monitoring platform available for free to any organization.

The flurry of commitments from industry come as Congress, in addition to the administration through the cybersecurity executive order, weigh potential cyber incident reporting requirements for federal contractors and critical infrastructure companies, as well as other cybersecurity mandates.

Halvorsen said he believes the Biden administration wants to take industry’s input into account when shaping both cybersecurity goals and potential requirements.

“Realistically, in the end, there will have to be a couple mandates, probably,” he said. “But I think even those will be guided by industry input. And that is the big change I see is that both the government and industry have moved to a point where they both recognize this has to be done together.”

Related Stories

    NavyPeter Stamatopoulos

    New Navy approach to supply chain elevates data-driven decisions to C-suite

    Read more
    Amelia Brust/Federal News Network

    Industry weighs in on WH interim rules for supply chain security

    Read more
    Amelia Brust/Federal News NetworkGSA, Federal Acquisition Service, FSA

    How the Federal Acquisition Security Council will tackle supply chain risk management

    Read more

Comments

Sign up for breaking news alerts