NCCoE publishes the second part of the supply chain assurance guide
The US National Institute of Standards and Technology (NIST) and its National Cybersecurity Center of Excellence (NCCoE) issue for public comments the second part of three volumes of the upcoming practice guide titled validating the integrity of computing devices. The first volume was an executive summary that explained this project’s challenge, solution, and benefits. The second volume provides an overview of the project’s approach, architecture, and security characteristics. It contains the following sections: (1) The challenge addressed by this NCCoE project, including the approach to addressing the challenge, the solution demonstrated, and the benefits of the solution. (2) How to use this guide which explains how business decision-makers, program managers, and information technology and operational technology professionals might use each volume of the guide. (3) The approach offers a detailed treatment of the project’s scope, the risk assessment that informed the solution, and the technologies and components that industry collaborators supplied to build the example solution. (4) The architecture specifies the components of the prototype implementation and details how data and communications flow between validation systems. (5) The security characteristic analysis examines the extent to which the project prototype implementation meets its objective: demonstrating how organizations can verify that the components of their acquired computing devices are genuine and have not been tampered with or modified throughout the devices’ life cycles. And (6) future considerations about the technical characteristics planned to be incorporated in the future. The deadline for public comments is September 29, 2021.