Security Snippets: NIST publishes guide on due diligence for cyber supply chain risk management

7 November 2024

NIST’s “quick-start guide” is designed to assist acquirers as they evaluate the various risks across their network of suppliers, focusing on supply chain tiers, foreign ownership, control or influence (FOCI), provenance, stability, and foundational cyber practices.

Last week, the National Institute of Standards and Technology (NIST) released a “quick-start guide” to facilitate due diligence assessments from a cyber supply chain risk management perspective. The guide helps companies navigate due diligence under the agency’s Special Publication 800-161, which was revised in 2022 to address supply chain cybersecurity risks as directed by the Biden administration’s cybersecurity executive order.

Centered around information and communications technology suppliers, the guide outlines five particular categories for focusing diligence:

  • Supply chain tiers. The guide prompts acquirers to evaluate their supply chain beyond their direct suppliers and organize their suppliers into levels depending on their relationship with the aquirer (e.g., distinguishing between direct or “first-tier” suppliers and “second-tier” suppliers who offer services to those first-tier suppliers).
  • Foreign ownership, control or influence. This category involves assessing suppliers’ ties to governments and whether a foreign government holds “significant, ultimate, beneficial, or institutional ownership stake in the supplier.”
  • Provenance. Acquirers are advised to develop a “chronology” of its supply chain that tracks where components and subcomponents come from and who owns them at each stage.
  • Stability. Diligence considerations for stability focus on any risks or concerns that may impact a supplier’s ability to satisfy contractual obligations or compliance requirements, and anything which may impede product reliability.
  • Foundational cyber practices. The guide calls on acquirers to review both a supplier’s overall cybersecurity posture and the supplier’s product-specific practices for maintaining security.

For each category, NIST offers various research questions and other resources to help guide acquirers with their assessments. Emphasizing the importance of cyber diligence throughout the supply chain, the guide states that “[d]ue diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality.”

NIST invites the public to comment on the guide, with the comment period closing on December 16th.

Contacts
Nathan Salminen
Partner
Washington, D.C.
Ryan Campbell
Law Clerk
Washington, D.C.
Keywords Security Snippets, NIST, National Institute of Standards and Technology, supply chain risk management, cybersecurity, cybersecurity due diligence
Languages English
Topics Privacy and Cybersecurity
Countries United States

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.

Thomson Reuters HighQ Logo
© 2024 Hogan Lovells | Privacy Policy | Terms of Service