Industry frets about supply chain standards in cyber framework

Supply chain management could be a bone of contention in the updated draft of the cybersecurity framework from the National Institute of Standards and Technology.

Comments on the draft were due April 10 to NIST. Among the changes is expanded language on potential cybersecurity risks in the IT supply chain.

Intel argued in its comments that supply chain risk management "is overly impactful as currently defined." The company said the "current incorporation of cyber supply chain risk management in this draft is immature and overly impactful for most organizations, and needs considerable rework."

Hardware companies have long been wary of supply chain restrictions and rules, because they deal in IT commodities, such as microchips and other components that can be sourced for cost and production efficiencies.

Intel also said measures in the framework carved out for the U.S. federal government were at cross-purposes with the document.

"The framework needs to continue to be as widely applicable as possible. Items specific to the U.S. Government seem to have been added, which have little place in a document with such wide global applicability," it said.

The U.S. Chamber of Commerce also had concerns with the supply chain portion of the document. The group "opposes government actions that would create U.S.-specific guidelines, set private sector security standards, or conflict with industry-led security programs," it wrote in its comments to NIST. "Instead, cybersecurity stakeholders should seek to leverage consensus-based international agreements that enable ICT manufacturers to build products once and sell them globally. The revised framework is constructively consistent with such a view.”

The Internet Security Alliance called out the potential for supply chain rules to be disproportionately hard on small businesses.

"As NIST wades into this area as it extends the [cybersecurity framework] it must be careful not to apply industrial age thinking to a digital age issue. As with issues discussed above, supply chain must be addressed with a full understanding of the economics of the problem," it said. "If we want small companies to become more secure, we need to make cybersecurity easier and cheaper for them."

There was more agreement among some internet privacy and high tech companies. In a joint filing that included Symantec, the Electronic Frontier Foundation, the Center for Democracy and Technology and New America's Open Technology Institute, the groups recommended NIST explicitly incorporate coordinated vulnerability disclosure and handling processes into the framework's core and tiers.

"Building such processes into the framework would not be a major revision," they said, "but rather a clarification of existing elements of the framework that will help organizations evaluate their preparedness to respond to vulnerability information and communicate with internal and external stakeholders."

A NIST spokeswoman told FCW that the framework team is processing about 130 comments, and the agency expects to have them all posted by the middle of the week of April 15.