The Biden administration has tasked the National Institute of Standards and Technology (NIST) to work with industry and other parties to come up with a new framework “to improve the security and integrity of the technology supply chain.”
The directive to NIST was one of the major takeaways from the White House’s August 25 meeting between administration officials, tech-sector and other private-company chief executive officers, and representatives of the education and insurance sectors. The meeting follows numerous cybersecurity policy initiatives that the administration has undertaken since January. President Biden said the aim of this week’s gathering was to “raise the bar” on cybersecurity across the government, critical infrastructure, and private sectors.
The White House said that NIST’s work will “serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software.”
It’s unclear how and whether any NIST guidelines might be binding on Federal or private entities. The agency’s landmark cybersecurity framework for critical infrastructure industries remains a voluntary guideline, although over the years its contents have assumed something close to the stature of a de facto standard in some quarters, including the cyber insurance market and with the requirements of the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program.
In a new-sounding twist on Federal agency policymaking, the White House said that private sector participants in the cybersecurity meeting – including Microsoft, Google, insurer Travelers, and cyber insurance provider Coalition “have committed to participating in this NIST-led initiative.” It’s unclear how that participation would differ from normal NIST standard-making exercises where the agency seeks public input on its work.
The Federal government, through the Cybersecurity and Infrastructure Security Agency (CISA), already has its arms around at least some of the same technology supply chain issues through existing efforts. That approach is being made through the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, which last month had its term extended to July 2023.
CISA’s ICT task force is a public-private partnership composed of representatives from large- and small-private sector organizations to identify challenges and solutions for managing risks to the global ICT supply chain. It is chaired by CISA and the IT and Communications Sector Coordinating Councils.
ICS Cyber Scope Expands
Elsewhere on the government policy outcomes of the meeting, the White House announced an expansion of the Industrial Control Systems Cybersecurity Initiative – originally established in April with an initial focus on the electricity sector – into the natural gas pipelines sector.
“The initiative has already improved the cybersecurity of more than 150 electric utilities that serve 90 million Americans,” the White House said.