6 May 2022

NIST updates guidance on supply chain risk management practices


NIST updates guidance on supply chain risk management practices

The National Institute of Standards and Technology (NIST) has released a revised cybersecurity guidance on defending against supply chain attacks. The updated guidance is designed to help organizations protect themselves as they acquire and use technology products and services.

The publication provides guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of an organization. It also offers key practices for managing cybersecurity risks within and across supply chains.

“The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it,” NIST said in a press release.

According to a 2021 ENISA (The European Union Agency for Cybersecurity) report, 66% of attacks documented in 2021 focused on the supplier’s code. For 66% of the supply chain attacks, suppliers did not know, or failed to report on how they were compromised and less than 9% of the victims compromised via supply chain attacks did not know how the attacks occurred.

Back to the list

Latest Posts

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

The suspect registered 240 domains, 50 of which were used as command-and-control domains for the ISRStealer, Pony, and LokiBot malware.
26 May 2022
US automaker General Motors hit with credential stuffing attack

US automaker General Motors hit with credential stuffing attack

Social Security numbers and driver’s license details weren’t compromised, the company said.
25 May 2022
Popular Python and PHP libraries altered to steal AWS keys

Popular Python and PHP libraries altered to steal AWS keys

In both cases the attacker appears to have taken over packages that have not been updated in a while.
25 May 2022