January 21, 2022

Volume XII, Number 21

Advertisement
Advertisement

January 20, 2022

Subscribe to Latest Legal News and Analysis

January 19, 2022

Subscribe to Latest Legal News and Analysis

January 18, 2022

Subscribe to Latest Legal News and Analysis

Seeking HoNIST Opinions, Part II – NIST Invites Comments on Major Revision to Cyber Supply Chain Risk Management Practices and Software Guidelines Mandated By Cybersecurity Executive Order

The National Institute of Standards and Technology (“NIST”) is seeking comments on its second draft of NIST SP 800-161 Rev. 1, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” published on October 28, 2021. We previously discussed the release of the first draft here. The public comment period currently is open and concludes on December 3, 2021. NIST anticipates releasing a final version during the third quarter of 2022.

The first draft published April 29, 2021 preceded the release of President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity (discussed previously here), which was issued on May 12, 2021. Executive Order 14028 directed NIST – and several other agencies – to enhance cybersecurity through implementation of various initiatives, with emphasis on enhancing software supply chain security. NIST takes the Executive Order into account in this second draft, and incorporates preliminary guidelines with criteria for evaluating software security, evaluating the security practices of developers and suppliers, and identifying innovative tools or methods to demonstrate conformance with secure practices (see Appendix F, Preliminary Guidelines for Enhancing Software Supply Chain Security).

In addition to the preliminary software security guidelines, this revision focuses on guidance for organizations to identify, assess, and mitigate cybersecurity risks in the supply chain, and to incorporate next-generation cyber supply chain risk management (“C-SCRM”) controls into their risk management activities. It includes specific information regarding implementation of C-SCRM security controls and guidance regarding the integration of C-SCRM into enterprise-wide risk management processes. In line with the Executive Order and renewed emphasis on securing the government supply chain, NIST recommends that companies engage in both internal and external supply chain risk management activities, communicate and collaborate across enterprise levels, and engage with peers to exchange cybersecurity supply chain risk management insights.

Notably, the revised publication addresses how agencies should approach supply chain risk under the Federal Acquisition Supply Chain Security Act (“FASCSA”), pursuant to which the government may identify specific covered products and sources to be restricted in the government supply chain. Appendix E of the revised publication focuses on FASCA, providing additional guidance to federal agencies related to supply chain risk assessment factors, assessment documentation, risk severity levels, and risk response.

As mentioned, the comment period for this draft closes December 3, 2021. This revision contains key information regarding supply chain risk and controls that contractors will need to understand, as well as specific guidelines on enhancing software supply chain security as called for by Executive Order 14028. Significant government focus on cybersecurity, and particularly supply chain security, makes this a “must read” for contractors. We expect the publication will play a key role in forthcoming regulations and requirements. Thus, it is important that contractors and the private sector at large provide industry perspective as NIST seeks to finalize this guidance and address this issue of software supply chain security. More information on the commenting process can be found on the NIST website.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 314
Advertisement

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

202-469-4917
Daniel J. Alvarado Government Contract & Trade Attorney Sheppard Mullin Law Firm
Associate

Daniel J. Alvarado is an associate in the Government Contracts, Investigations, and International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice

Daniel's practice encompasses all areas of government contracting, with a focus on matters of compliance, investigations, disclosure obligations, transactional due diligence, and bid protest litigation. He assists clients of all sizes in manning complex government regulatory requirements in the areas of schedule contracting,...

202.747.2325
Advertisement
Advertisement
Advertisement