Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 166

The U.S. government began directly addressing cyber supply chain risk as a separate issue with the publication of NIST IR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems.” This work recognizes that the actions required of the entities in the supply chain will change depending on their role, as will the level and type of control to be applied. The document identifies 10 practices that should be taken into account in addressing supply chain risk:

 Uniquely identify supply chain elements, processes, and actors.

 Limit access and exposure within the supply chain.

 Establish and maintain the provenance of elements, processes, tools, and data.

 Share information within strict limits.

 Perform supply chain risk management awareness and training.

 Use defensive design for systems, elements, and processes.

 Perform continuous integrator review.

 Strengthen delivery mechanisms.

 Assure sustainment activities and processes.

 Manage disposal and final disposition activities throughout the system or element lifecycle.

The U.S. government has a number of other supply chain risk management initiatives, including the Committee on National Security Systems Directive 505, “Supply Chain Risk Management,” which specifically addresses security requirements for strategic national systems and the Comprehensive National Cybersecurity Initiative Number 11, which provides a set of tools to agencies to manage their cybersecurity supply chain through a risk-driven approach.