Nist Sp 800-161 Pdf

[Bigg Gernes]

Whilegovernment agencies and federal suppliers have used the framework to improve their cybersecurity awareness, incident response strategies, and risk mitigation practices, the revised document is flexible enough to be used by organizations in any sector.

With NIST SP 800-161 rev. 1 guidelines, an organization has a framework to examine any part of a supply chain and identify, assess, and mitigate cybersecurity risks. NIST SP 800-161 rev. 1 integrates cybersecurity supply chain risk management (C-SCRM) and risk management, helping companies form directives, strategies, implementation plans, policies, and supply chain risk assessments for products and services.

It is not a roadmap to an agreed level of capability, but organizations of all sizes and structures can adapt the guidelines to implement sufficient supply chain risk management activities and ensure they meet minimum security requirements to protect themselves, their clients, and their business partners.

The NIST 800 series describes the US policy on computer security and network infrastructure. NIST SP 800-53 gives an overview of all the minimum security safeguards required to achieve information security with this framework.

NIST 800-161 is complimentary to NIST 800-53. It incorporates ICT supply chain risk management, providing updated guidance on identifying, assessing, and responding to supply chain risks throughout an organization.

So NIST 800-53 summarizes the first moves for companies wishing to develop or improve cybersecurity programs with the NIST cybersecurity framework. Once an organization has implemented NIST 800-53, it can then use NIST 800-161 to mature its supply chain security.

NIST 800-161 is primarily used to define and handle supply chain risks that may affect an organization. Both publications can be used together if entities within the supply chain handle CUI and, therefore, must abide by its rules.

NIST generally considers Supply Chain Risk Management (SCRM) and Cyber Supply Chain Risk Management (C-SCRM) - which overlaps with traditional information security - the same concept. Exploring NIST 800-161 rev. 1 guidelines can help businesses concerned with ICT supply chain risks or seeking information on supply chain security and this area of risk management.

Day-to-day business processes that lead to the creation, distribution, or sale of products and services typically rely on supplies from other businesses, whether these supplies are products, services, or raw materials.

The supply chain might be simple for a small firm, but enterprise-level operations tend to have a complex supply chain ecosystem of interconnected parts, typically with a wide geographic distribution, especially with IT service providers that need not be bound by geographic location.

A supply chain, therefore, refers to the linked set of processes and resources required at various levels of an enterprise. It begins with sourcing products and services and continues throughout the product or service's lifecycle.

With advanced communications, manufacturing techniques, and logistics, organizations can achieve significant cost reductions and other benefits with information sharing and proper management of their supply chains. For example, open-source or off-the-shelf software solutions can help businesses in all sectors be more cost-effective.

However, the multitude of solutions and avenues within the supply chain also increases the potential risk. Furthermore, digital security risks in the software supply chain can be hard to detect until they impact the acquirer or user.

According to the guidelines, risk management works best when it involves people from various important business processes. Restricting cybersecurity risk management to security or technical personnel is unlikely to provide robust, company-wide solutions.

Assessing software vendors is critical to ensure that the software used by federal organizations does not have exposed vulnerabilities. On the contrary, developers may release software knowing it must be patched to ensure reliability and safety.

NIST 800-161 helps organizations acquire and use open-source software according to helpful standards to protect information security. One of its recommendations is that organizations use approved, verified sources for open-source software to limit exposure to cybersecurity risks via this part of the digital supply chain.

It specifies that organizations must educate themselves and follow best practices established by the open-source software community, including configuration management, project maintenance, and procedures regarding reusable libraries that limit exposure to cybersecurity risks.

NIST 800-161 guidelines demonstrate that they appreciate the challenges organizations face when improving supply chain cybersecurity. Its foundational practices are many and varied, each helping businesses move incrementally toward improved supply chain cybersecurity and more advanced supply chain cybersecurity practices.

There is some overlap between these and foundational practices. Businesses should focus more on sustaining practices having achieved proficiency with foundational practices, ready to take C-SCRM to the next level.

According to NIST, security controls aim to protect the confidentiality, integrity, and availability of information systems and the information they process, store, and transmit. NIST 800-53 describes 19 security control families to help organizations use its SCRM control assessment techniques.

Used with NIST SP 800-161, it provides a baseline that helps organizations understand their current security postures, prioritize areas that need urgent attention, and measure the effectiveness of their risk management programs.

Awareness training guides organizations regarding defining and implementing training and education for cyber awareness and methods for making cybersecurity training a sustainable strategy to reduce cyber risks.

Event logging is an important part of any cybersecurity system. Logs help cybersecurity professionals identify the locations and sources of problems during a cyber incident, like a data breach or data leak.

This set of controls helps firms continuously improve their cybersecurity policies, procedures, and systems. It helps organizations assess their current cybersecurity maturity and refine their practices. Cybercriminals are continually seeking vulnerabilities and ways to exploit them. This family helps organizations stay current to limit the potential impact of emerging threats.

Misconfiguration can lead to significant vulnerabilities in cybersecurity systems. Through a misconfigured database, for example, users may be able to find sensitive data with just a web search, without authentication.

Among the issues, this set of controls addresses is the management of unknown devices. Organizations require written policies regarding how they treat unknown, unvetted devices to protect the integrity of information systems.

In cybersecurity, contingency planning involves preparing for potential system failures and data breaches. While many cybersecurity practices focus on preventing cyber attacks, contingency planning helps organizations function even after the worst has happened.

These controls help organizations create formal contingency plans that help them restore normal operations as quickly and efficiently as possible. The systems by which this is achieved include data backups and the use of cloud-based storage solutions.

Alternate sites are also a consideration at this stage, so these control groups help businesses face the possibility of having to relocate due to an incident. They also help companies to create policies and procedures for testing contingency plans, which is essential to their successful, efficient implementation during a crisis.

This set of controls helps organizations with training and other preparations for a cyber security incident. It includes standards for the creation of a documented incident response plan. This should comprise specific incidents that could occur and impact the organization, as identified and assessed during the risk management process.

Specific incidents might include a ransomware attack, a data breach by an insider, or a distributed denial-of-service (DDoS) attack. Businesses will have different primary risks according to size, sector, location, and other variables.

Cybersecurity maintenance controls refer to software and hardware maintenance. Updates ensure that software is patched and that hardware is fully functional, preventing downtime and offering remediating vulnerabilities.

Proper maintenance requires a software and hardware audit policy to ensure maintenance is not left to chance. The maintenance policy should identify who is responsible for maintenance and their key responsibilities.

Media protection controls refer to the policies on how an organization uses media and how the files are stored. It needs to cover how and when they are destroyed. This set of controls helps organizations establish written procedures to ensure data protection by preventing things from slipping between the cracks, which could lead to data leaks or data breaches.

This control family helps organizations monitor their visitors to control physical access and assists organizations in detailing their intended response to physical threats. These responses might include relocation to alternative facilities or switching to emergency power sources.

While much of cybersecurity can be outward facing, it is essential to mitigate potential risks from bad actors internal to the organization. These controls acknowledge that different employees have different exposures to risk and different information access needs. The family helps organizations develop sufficient policies and procedures regarding personnel to protect information security.

Using PII has become a necessity for most modern businesses, but losing PII in a data breach can be damaging in terms of financial loss and lost reputation. This essential family helps organizations face the risk of collecting, storing, and transmitting PII, focusing on ways to lower the risk associated with this sensitive information. These controls help organizations protect data by managing PII through consent and privacy policies.

3a8082e126