Featured Research

from universities, journals, and other organizations

Securing critical computer systems begins at the beginning, new report advises

Date:
August 4, 2010
Source:
National Institute of Standards and Technology (NIST)
Summary:
A new report discusses the challenge of maintaining information system security throughout a system's life cycle, and provides an array of practices designed to help mitigate supply chain security risks.

Nothing beats the feeling of starting up a new computer -- be it a laptop, desktop or a major, custom-designed computing system. A new system is a blank slate with no worry of botnets, viruses or any other cybersecurity hazards.

Not so, explains computer researcher Marianne Swanson at the National Institute of Standards and Technology (NIST), lead author of a draft report, Piloting Supply Chain Risk Management for Federal Information Systems. Information systems and components are under attack throughout the supply chain from the design phase -- including specification and acquisition of custom products -- through disposal. "Computer systems are under attack before installation by adversaries enabled by growing technological sophistication and facilitated by the rapid globalization of our information system infrastructure, suppliers and adversaries," Swanson says.

NIST has released a public draft of the new report for comment.

The supply chain report is geared to information systems that are categorized as "high-impact level," systems for which the loss of confidentiality, integrity or availability could be expected to have a "severe or catastrophic adverse effect on organizational operations, organizational assets or individuals."* The report provides an array of practices designed to help mitigate supply chain risk throughout the life cycle, not just on accepting systems and products "as they are" and managing risks after delivery. The practices are based on security procedures found in NIST special publications, and those from the National Defense University and the National Defense Industry Association, and these are expanded to include implementations specific to mitigating supply chain risk.

Typical examples of good practices recommended in the report include integrating information security and supply chain requirements from inception of the project, protecting the supply chain environment, hardening the supply chain delivering mechanisms and configuring the product to limit access and exposure.

Other recommendations:

  • Ensure your information system security, acquisition personnel, legal counsel, and other appropriate advisors and stakeholders are participating in decision making from system concept definition through review and are involved or approving each milestone decision.
  • Ensure the proper funding is allocated for information system security and supply chain risk management
  • Follow consistent, well-documented processes for system engineering and acquisition
  • Provide oversight of suppliers
  • Audit the development process
  • Perform quality assurance and control of security features
  • Assign roles and responsibilities and follow them
  • Fully implement the tailored set of baseline security controls in NIST Special Publication 800-53** appropriate to the system's impact level.

The supply chain security report is intended for information system owners, acquisition staff, information security personnel and systems engineers.

The Comprehensive National Cybersecurity Initiative 11, "Develop Multi-Pronged Approach for Global Supply Chain Risk Management," currently is pilot testing many of the practices. To get a more thorough sample, the writers of this draft report are asking readers to consider testing a few of the practices and to provide comments and lessons learned to the same e-mail address by Dec. 30, 2010.

* Categorizing system impact level is described in a NIST document, Standards for Security Categorization of Federal Information and Information Systems (Federal Information Processing Standards Publication 199), available on-line at http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

** Recommended Security Controls for Federal Information Systems and Organizations (Rev. 3), available on-line at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.


Story Source:

The above story is based on materials provided by National Institute of Standards and Technology (NIST). Note: Materials may be edited for content and length.


Cite This Page:

National Institute of Standards and Technology (NIST). "Securing critical computer systems begins at the beginning, new report advises." ScienceDaily. ScienceDaily, 4 August 2010. <www.sciencedaily.com/releases/2010/08/100804110335.htm>.
National Institute of Standards and Technology (NIST). (2010, August 4). Securing critical computer systems begins at the beginning, new report advises. ScienceDaily. Retrieved July 25, 2014 from www.sciencedaily.com/releases/2010/08/100804110335.htm
National Institute of Standards and Technology (NIST). "Securing critical computer systems begins at the beginning, new report advises." ScienceDaily. www.sciencedaily.com/releases/2010/08/100804110335.htm (accessed July 25, 2014).

Share This




More Computers & Math News

Friday, July 25, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Bill Gates: Health, Agriculture Key to Africa's Development

Bill Gates: Health, Agriculture Key to Africa's Development

AFP (July 24, 2014) Health and agriculture development are key if African countries are to overcome poverty and grow, US software billionaire Bill Gates said Thursday, as he received an honourary degree in Ethiopia. Duration: 00:36 Video provided by AFP
Powered by NewsLook.com
Creative Makeovers for Ugly Cellphone Towers

Creative Makeovers for Ugly Cellphone Towers

AP (July 24, 2014) Mobile phone companies and communities across the country are going to new lengths to disguise those unsightly cellphone towers. From a church bell tower to a flagpole, even a pencil, some towers are trying to make a point. (July 24) Video provided by AP
Powered by NewsLook.com
Robot Parking Valet Creates Stress-Free Travel

Robot Parking Valet Creates Stress-Free Travel

AP (July 23, 2014) 'Ray' the robotic parking valet at Dusseldorf Airport in Germany lets travelers to avoid the hassle of finding a parking spot before heading to the check-in desk. (July 23) Video provided by AP
Powered by NewsLook.com
Facebook Earnings Put Smile on Investors Faces

Facebook Earnings Put Smile on Investors Faces

Reuters - Business Video Online (July 23, 2014) Facebook earnings beat forecasts- with revenue climbing 61 percent. Bobbi Rebell reports. Video provided by Reuters
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

    Health News

      Environment News

        Technology News



          Save/Print:
          Share:

          Free Subscriptions


          Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

          Get Social & Mobile


          Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

          Have Feedback?


          Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
          Mobile: iPhone Android Web
          Follow: Facebook Twitter Google+
          Subscribe: RSS Feeds Email Newsletters
          Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins