ANSI to Hold July 27–29 Workshop on Global Supply Chain Security for Microelectronics Standardization

Save the Date: ANSI to Hold July 27–29 Workshop on Global Supply Chain Security for Microelectronics Standardization

The American National Standards Institute (ANSI) has announced plans to convene on behalf of the U.S. Department of Defense (DoD) a workshop on global supply chain security for microelectronics standardization. The workshop will be held July 27–29 at the headquarters of Booz Allen Hamilton, 8283 Greensboro Dr., McLean, VA. While in-person participation is strongly encouraged, remote participation will be offered. The workshop agenda and registration information will be announced in due course.

The workshop will assist DoD in gathering and assessing information regarding relevant standardization activities to fulfill its mandate under Section 224 of the FY20 National Defense Authorization Act (NDAA) requiring that DoD microelectronics products and services meet trusted supply chain and operational security standards.

Stakeholders identified for targeted outreach include DoD, the Departments of Homeland Security, State, and Commerce—especially the National Institute of Standards & Technology (NIST)—along with suppliers of microelectronics products and services, representatives of major industry sectors that rely on a trusted supply chain and the operational security of microelectronics products and services, and the insurance industry. Ultimately, DoD seeks to foster an ecosystem where trusted supply chain and operational security standards for procuring microelectronics products and services are widely adopted by U.S. government agencies, allies, partners, and commercial industry.

NIST Official: Revised Cybersecurity Supply Chain Guidance Imminent

NIST Official: Revised Cybersecurity Supply-Chain Guidance Imminent
Source: Nextgov
Published: April 27, 2022

The National Institute of Standards and Technology is about to publish guidance for securing enterprises against supply chain hacks following the SolarWinds event and other major third-party attacks targeting critical infrastructure.  “The flagship cybersecurity supply chain risk management guidance is [Special Publication 800-161],” NIST’s Angela Smith said. “We’re going to actually be releasing the first major revision—revision one—by the end of next week, so everybody should be on the lookout for that if you’ve not already had a chance to review some of the public drafts that have come out.”

One Year In: The Executive Order and Securing Software Supply Chains

One Year In: The Executive Order and Securing Software Supply Chains

In response to the Executive Order on Improving the Nation’s Cybersecurity published in May 2021, new mandates call for accelerating the adoption of secure open source software (OSS) and commercial off-the-shelf solutions to speed software delivery from years to minutes. Additionally, the National Institute of Standards and Technology (NIST) has provided updated guidance for strengthening the security of critical software purchased by U.S. federal government programs from industry software suppliers and partners. 

Join ATARC and government and private sector experts working across Federal defense agencies as they cover:

  • Key insights from the Executive Order on Cybersecurity
  • Latest directives from the DoD, NIST, and other Federal agencies on using and securing OSS
  • Role of the software bill of materials (SBOM) in securing your software supply chain

Register here: One Year In: the Executive Order and Securing Software Supply Chains – ATARC

NIST Refreshing Voluntary Cybersecurity Framework Amid Push for Mandates

NIST Refreshing Voluntary Cybersecurity Framework Amid Push for Mandates
Source: Nextgov
Published: February 22, 2022

The National Institute of Standards and Technology wants to know how it might improve its landmark framework of cybersecurity standards and practices and streamline similar efforts related to particular issues like privacy and supply-chain security. “Every organization needs to manage cybersecurity risk as a part of doing business, whether it is in industry, government or academia,” said Commerce Deputy Secretary Don Graves in a news bulletin NIST published Tuesday. “It is critical to their resilience and to our nation’s economic security. There are many tools available to help, and the CSF is one of the leading frameworks for private sector cybersecurity maintenance. We want private and public sector organizations to help make it even more useful and widely used, including by small companies.”

NIST SP 800-160v1 Revision 1 Initial Public Draft out for Review

NIST is releasing the draft of a major revision to Special Publication (SP) 800-160 Volume 1, Engineering Trustworthy Secure Systems. This publication is intended to serve as a reference and educational resource for engineers and engineering specialties, architects, designers, and personnel involved in the development of trustworthy secure systems and system components. The guidance can be applied selectively by organizations, individuals, or engineering teams to improve the security and trustworthiness of systems and system components.

In particular, Draft SP 800-160 Volume 1, Revision 1 focuses on the following strategic objectives, which drove the majority of changes to the publication:

  • More strongly positioning Systems Security Engineering (SSE) as a sub-discipline of Systems Engineering (SE)
  • Emphasizing that the responsibility for engineering trustworthy secure systems is not limited to security specialties and that the achievement of security outcomes must properly align with SE outcomes
  • Aligning SSE practices with safety practices and other disciplines that deal with the loss of assets and the consequences of asset loss
  • Focusing on the assurance of the correctness and effectiveness of the system’s security capability to achieve authorized and intended behaviors and outcomes and control adverse effects and loss
  • More closely aligning systems security engineering work to international standards

NIST is interested in feedback on the specific changes made to the publication during this update, including the organization and structure of the publication, the presentation of the material, its ease of use, and the applicability of the technical content to current or planned systems engineering initiatives.

Submit comments using the comment template provided.

https://csrc.nist.gov/publications/detail/sp/800-160/vol-1-rev-1/draft

Cybersecurity Reference and Resource Guide

2019 Cybersecurity Resource and Reference Guide_DoD-CIO_Final_2020FEB07

The purpose of this document is to provide a useful reference of both U.S. and International resources, in order to develop cybersecurity programs and to build and maintain strong network protection. Extensive reference materials exist that support efforts to build and operate trusted networks and ensure information systems maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability. The resources compiled here support security cooperation and shared best practices to help achieve collective cybersecurity goals. This guide provides readily available and unclassified information pertaining to cybersecurity norms, best practices, security cooperation, policies and standards authored and adopted by the United States (U.S.) government, the U.S. Department of Defense (DoD), and recognized international institutes and workforce development training resources provided by government, industry, and academia.

Aspects related to Cyber Supply Chain Risk Management in the document:

Cyber Supply Chain Risk Management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of information and operational technology product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an information and operational technology product or service at any stage.

Website: https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management

NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015

Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated, and deployed, as well as the
processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This publication integrates SCRM into federal agency risk management activities by applying a multi- tiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.

Website: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pd

Commerce Proposes New Software Supply Chain Safety Criteria

Commerce Proposes New Software Supply Chain Safety Criteria – MeriTalk

The Department of Commerce is proposing new safety criteria for connected software to help better secure information and communications technology and services (ICTS) supply chains, including potential third-party audits of connected software and ICTS transactions, according to a proposed rule posted to the Federal Register Nov. 26.

The Department of Commerce is seeking feedback on the rule in its entirety but is also specifically looking for feedback on how to define what is a “reliable third-party” for the purposes of the rule. The agency also wants to know if its criteria of “third-party auditing of connected software applications” is sufficiently descriptive or whether the agency needs to get more specific.

The agency will accept public comment on the proposed rule until Dec. 30.

Webinar on Updates to NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

The NIST Cybersecurity Supply Chain Risk Management Team is hosting a webinar on December 1 to provide an overview of the changes made in its 2nd public draft of Special Publication 800 – 161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. NIST seeks to engage stakeholders to provide clarity, answer questions, and get stakeholder comments and opinions that ensure Revision 1 will deliver comprehensive and relevant cybersecurity supply chain risk management practices and guidance.

There will also be a panel of experts to discuss the new APPENDIX F: A Response to Executive Order 14028’s Call to Publish Preliminary Guidelines or Enhancing Software Supply Chain Security, which seeks to provide a response to the directive outlined within Section 4(c) of the EO.

For additional information and to register, please visit: https://csrc.nist.gov/Events/2021/2nd-public-draft-sp-800-161-revision-1-workshop