The National Institute of Standards and Technology (NIST) has released a revised cybersecurity guidance on defending against supply chain attacks. The updated guidance is designed to help organizations protect themselves as they acquire and use technology products and services.

The publication provides guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of an organization. It also offers key practices for managing cybersecurity risks within and across supply chains.

“The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it,” NIST said in a press release.

According to a 2021 ENISA (The European Union Agency for Cybersecurity) report, 66% of attacks documented in 2021 focused on the supplier’s code. For 66% of the supply chain attacks, suppliers did not know, or failed to report on how they were compromised and less than 9% of the victims compromised via supply chain attacks did not know how the attacks occurred.