NIST Perspective on Supply Chain Security

On November 14th and 15th, the National Institute of Standards and Technology (NIST) hosted its 5th Cybersecurity Framework workshop, to discuss the implementation and future governance of their Cybersecurity Framework. Bringing together critical Infrastructure owners and operators and cybersecurity staff, the workshop and the Framework highlight the growing, urgent need for a voluntary framework for reducing cyber risks. To help foster international harmonization, the framework is aligned with most of the major international standards such as ISO/IEC 27001.

The constant theme throughout this workshop was supply-chain security, noting “you are only a strong as the weakest link”.

Supply-chain security is becoming one of the hottest topics leading into 2014….finally.

The National Association of Federal Credit Unions (NAFCU) recently asked Congress to hold breached retailers, processors and other third parties accountable when their lax security practices result in the leakage of card data.

Their Five-Point Plan for Regulatory Relief includes details for addressing third party accountability such as:

  • Establish national standards for safekeeping of all financial information.
  • Establish enforcement standards for data security that prohibit merchants from retaining
    financial data, and require merchants to disclose their data security policies to customers.
  • Hold merchants accountable for the costs of a data breach, especially when it was due to their own negligence; shift the burden of proof in data breach cases to the party that incurred a breach; and require timely disclosures in the event of a breach.

Banking regulators; following suit with the Healthcare regulators, contend the burden to ensure third-party security falls on the banking institutions. This has to be if we are to ensure good oversight.

The security of our banking institutions depends on the ability to secure, administrate, and navigate – the company’s network of business relationships. If we can effectively protect and manage our supply chains, the ability to productively respond to stresses can yield important benefits, such as:

  • Decreased losses and lower associated business costs
  • Improved business continuity via a more robust, resilient, and responsive supply chain
  • Greater end-to-end transparency for improved process management and efficiency
  • Competitive advantages over industry rivals when supply chain risks arise
  • Brand Protection
  • Customer satisfaction

The NIST Cybersecurity Framework has at least started the conversation around the importance of the supply-chain and the need more oversight of third parties. However, we need more transparency and accountability for those that do not employ adequate security measures. Without accountability and enforcement, there is no motivation for third parties to take security seriously.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 25 years of successful experience in Management System Development.

Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.