The National Institute of Standards and Technology, tasked by the White House with developing a supply chain security framework applicable to the broad information and communications technology sector, isn’t trying to reinvent the wheel.
“We know there’s a lot of work that already has been done, that is being done,” Jon Boyens, the deputy chief of NIST’s Computer Security Division, said during a virtual event today. “We want to magnify that work, or bring it together, make it more consumable, and find the gaps.”
“The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software,” the White House announced at the time. Microsoft, Google, IBM, Travelers and Coalition “committed to participating” in the framework’s development, according to the White House.
Boyens said NIST officials have been taking their time since the August meeting to discuss the ideal direction for the project and how to best engage stakeholders across the broad technology ecosystem.
“While we recognize that a lot of work is ongoing, we want to make sure that whatever we do, the initiative that we undertake has an impact and is deserving of the resources by both public and private sector participants,” he said.
The agency is specifically building off work stemming from the May cybersecurity executive order. Boyens lauded that initiative for focusing on actions geared toward software developers, rather than only end users.
“We want a lot of that work to finish out, and possibly think about extending that past software into hardware and services,” Boyens said.
Since the May executive order, NIST has published “recommended minimum standards” for the testing of software code. The agency is also working with the Federal Trade Commission on labeling programs to help consumers judge the security of both Internet of Things devices and software.
The supply chain project will also piggyback off ongoing work under NIST’s evolving Cybersecurity Framework, Boyens said. The agency additionally published a draft version of a new publication, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” in April.
NIST plans to release a request for information to get outside feedback about the potential parameters, goals and principles for the new framework. The agency will also set up a public website for the project.
“We really want the stakeholders to tell us where they think the biggest bang for the buck is, or the moonshot,” Boyens said.
One key question for NIST is how to address a persistent concern in industry about sharing sensitive supply chain security information with the government. A public-private task force convened by the Cybersecurity and Infrastructure Security Agency recently released proposals to assuage those concerns and improve information sharing between government and industry.
“One of our big questions I think we’ll put in the RFI is how to get a trust mechanism similar to what we’re doing in the software world: artifacts, evidence to achieve greater trust, to achieve greater assurance in the supply chain without sacrificing intellectual property,” Boyens said.
There are also questions about whether NIST will develop a binding supply chain security framework, similar to the Pentagon’s Cybersecurity Maturity Model Certification. NIST’s cybersecurity framework is voluntary. Meanwhile, the mandatory CMMC program is currently on hold amid a lengthy high-level review, while the official who was in charge of the effort is currently suing the Pentagon.
“We do not envision establishing and have no plans to establish any kind of certification regime or program,” Kevin Stine, chief of NIST’s applied cybersecurity division, said in response to questions about CMMC. “That is not to say others couldn’t pick up this work and incorporate that into approaches. But that is not part of our roadmap.”
Agencies have new deadlines to secure on-premise software