NIST Standards and Guidelines for Enhancing Software Supply Chain Security Include Security Ratings
At SecurityScorecard, we believe that making the world a safer place means transforming how organizations view cybersecurity. For us, this means that companies must take a holistic approach, protecting systems not just from the inside, but also knowing what an organization’s vulnerabilities look like from the outside-in to see what the hackers are seeing. As the Deputy National Security Advisor for cybersecurity, Anne Neuberger, recently noted, “one needs to be able to see a space in order to defend a space.”
To further our mission, SecurityScorecard submitted comments in response to the National Institute of Standards and Technology (NIST) proposed revision to NIST Special Publication (SP) 800-161 “Cyber Supply Chain Risk Management Practices for Systems and Organizations.” Both the original SP 800-161 and initial proposed draft were silent on the need to take the outside-in approach our security ratings platform provides in order to secure supply chains.
On October 28, 2021, NIST released the second draft of SP 800-161 Revision 1. In this draft, NIST validates our belief that security ratings provide valuable insight into organizations’ supply chain risk and enable more robust cybersecurity.
In the most recent draft, “Appendix F: A Response to Executive Order 14028’s Call to Publish Preliminary Guidelines or Enhancing Software Supply Chain Security” specifically lists “outside-in analyses” and the enabling security ratings platform technologies as a foundational capability. The document states the following to provide additional vendor risk assessment controls:
Perform outside-in analyses of vendors utilizing open-source data and, as resources permit, commercially available third-party assessment and security ratings platforms. Acquirers with access to confidential information may further supplement these outside-in analyses.
This acknowledgment by the primary U.S. standard-settings body is both validation and recognition of security ratings as a technology that empowers organizations to better secure their supply chains. SecurityScorecard strongly supports the inclusion of security ratings in the most recent draft, as we believe they provide critical ecosystem cybersecurity risk visibility capabilities.