Advocacy Submits Letter to NIST on Cyber Supply Chain Risk Management Practices for Systems and Organizations
In April 2021, the National Institute of Standards and Technology (NIST) issued a draft revision to its publication Cyber Supply Chain Risk Management Practices for Systems and Organizations. The updates were designed to provide organizations with ways to better identify and respond to cyber threats while aligning with other federal cybersecurity guidelines. The Office of Advocacy (Advocacy) respectfully submits the following letter on NIST’s updated draft publication.
Advocacy appreciates NIST’s efforts to make this publication more consumable but is concerned that NIST does not discuss small businesses. Advocacy recommends that NIST discuss the risk that this guidance will become a set of de facto requirements and the effect that would have on small businesses. Advocacy also recommends that NIST describe the small businesses in the cyber supply chain and how this guidance pertains to them, as well as provide summary information that small businesses can easily understand. Finally, Advocacy requests that NIST should discuss how components of this guidance relate to policies from other agencies and to some of the broader cybersecurity issues facing small businesses.