Earlier this month, a revised version of NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, was released. The update provides federal agencies with the latest guidance on identifying, assessing, and responding to risks throughout the supply chain.

Why did NIST SP 800-161 need to be revised?

President Biden’s May 2021 Executive Order (EO) on Improving the Nation’s Cybersecurity acknowledged that there are a growing number of software security risks throughout the federal supply chain. One of the EO’s goals was to set out steps for mitigating such risks, with the focus being on Cybersecurity Supply Chain Risk Management (C-SCRM) for federal acquirers.

Section Four of the Order sets out several directives relevant to the supply chain. Within 180 days of the order, NIST was expected to publish preliminary guidelines based on consultations for enhancing security, and additional and updated guidelines, including review procedures, were expected within 360 days.

A number of other recommendations for modernizing federal government cybersecurity were also outlined in the Cyber EO. Notably, ambitious targets for the adoption of zero trust architecture in the public sector, resulting in federal agencies being tasked with implementing zero trust within set timeframes.

The importance of risk management for the supply chain

While the Cybersecurity Executive Order was an update aimed at federal agencies and their suppliers, a high level of risk management is still needed for all large organizations with complex supply chains.

Many organizations and their supply chains are linked to networks of manufacturers, software developers and service providers across the world. For instance, a product could be designed in one location and then built using components from a variety of regions and suppliers.

The NIST SP 800-161 publication revisions provide key practices that need to be adopted to mitigate software security risks, highlighting exactly why it is important to consider vulnerabilities not just in the product, but in all components used in the process to build and develop it.

When a cyber incidents happens at any point in the supply chain, it can have a significant impact on the organization. There is often disruption to operations and a supplier’s profits and reputation are damaged. These incidents can range from ransomware attacks and data breaches to the installation of malicious software.

One of the most high-profile examples is the SolarWinds attack, which impacted around 18,000 customers. A survey found the average financial impact of this incident on affected companies was around $12 million per company.

In 2014, Shylock malware was found to have been installed on 30,000 machines worldwide and mostly targeted UK bank accounts. The malware affected computers running the Microsoft Windows operating system and resulted in many victims having funds stolen from their accounts.

Detecting and remediating vulnerabilities in network devices

Network vulnerability management is essential, therefore, for every step in the supply chain. Titania’s configuration assessment tool, Nipper, can be used to detect exploitable misconfigurations in networking devices that pose a risk to the network. The software provides risk remediation advice and exact technical fixes to ensure that routers, switches and firewalls remain secure and compliant.

Request a free trial to experience the power of Nipper today.

Matt Malarkey