On May 5, 2022, the National Institutes of Standards and Technology (NIST) formally recognized outside-in third party security ratings and vendor risk assessment in their update to Special Publication 800-161. This update to federal standards specifically cites security ratings as a “foundational capability that "provide[s] recommended vendor risk assessment and attestation capabilities beyond those outlined in Section 4 of [Executive Order] 14028."
NIST SP 800-161 was designed to standardize supply chain risk management best practices for federal agencies and industry. Every organization, whether a publicly-held corporation, a private enterprise, or a government agency benefits from clear standards and practices, and needs the ability to assess and analyze their vendors.
SecurityScorecard, the global leader in cybersecurity ratings and the only service with millions of companies continuously rated, applauds NIST’s work to update these critically important cybersecurity practices. SecurityScorecard directly supports NIST’s revision, which is intended to strengthen supply chain security in both the public and private sectors. In particular, Appendix F of SP 800-161r1 clearly identified the primary failure points in the supply chain, any or all of which can be obscured or invisible to an organization. SecurityScorecard’s suite of free applications identifies and measures those risks by delivering the “outside-in” view recommended by NIST.
“Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise’s decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of the products and services.” – NIST Special Publication NIST SP 800-161r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
Those guidelines, which are ultimately aimed at federal agencies but which also are available for commerce, industry, academia, and others to use, include both the criteria to evaluate software security itself in addition to evaluating the security practices of the developers and suppliers. SecurityScorecard’s suite of solutions supports the full array of foundational capabilities, sustaining capabilities, and enhancing capabilities defined by NIST.
SecurityScorecard’s toolset allows organizations to demonstrate that their vendors comply with the new guidelines and do so in real time. This enables best practices which until now have been hampered by a “quarterly report mindset” that takes momentary snapshots of organizational health a few times a year. Most important is the power to actively monitor the status of vendors and other arm’s length suppliers whose security postures can be changed by new threats in the cybersecurity landscape.
This is critical because although the new NIST requirements ask “vendors to periodically submit third-party attestation that they conform to the applicable requirements of SSDF V1.1 and the enhancing SSDLC capabilities” the warp-speed attacks carried out by cyber threat actors leap over the “raised shields” reaction to response and remediation. SecurityScorecard’s delivery of real-time insights and evaluations empowers organizations to identify the potential breaches to their own perimeters that are caused by vendors and other third parties.
With security ratings now among NIST-recognized “evolving standards, tools, and recommended practices,” for enhanced vendor risk management, security ratings are fast becoming a critical part of achieving cybersecurity maturity levels that are necessary for all organizations to strengthen their software supply chain security capabilities. These security ratings are fast becoming a critical part of achieving the explicit cybersecurity maturity levels that are now necessary for companies to strengthen their software supply chain security capabilities.
As we advised in this blog last November:
At SecurityScorecard, we believe that making the world a safer place means transforming how organizations view cybersecurity. For us, this means that companies must take a holistic approach, protecting systems not just from the inside, but also knowing what an organization’s vulnerabilities look like from the outside-in to see what the hackers are seeing. As the Deputy National Security Advisor for cybersecurity, Anne Neuberger, recently noted, “one needs to be able to see a space in order to defend a space.”
SecurityScorecard’s longstanding success at delivering vital information to organizations about cybersecurity risks associated with third-party supply chain providers is fully aligned with the President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021.