Date Published: November 2019
Comments Due:
Email Questions to:
Author(s)
Tyler Diamond (NIST), Nakia Grayson (NIST), Celia Paulsen (NIST), W. Polk (NIST), Andrew Regenscheid (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) at NIST is seeking comments on a draft project description that will focus on helping organizations decrease the risk of compromise to their information and operational technology product and service supply chain.
The goal of this project is to document an approach to verify the supply chain integrity of computing devices at product acceptance by leveraging hardware roots of trust that are commonly included in commercial off-the-shelf personal computing devices. It will consider the computing device lifecycle starting with the manufacturing process through the delivery, acceptance, provisioning, use and disposition of the device.
The project will result in a freely available NIST Cybersecurity Practice Guide (SP 1800 series)—a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.
Product integrity and the ability to distinguish trustworthy products is a critical foundation of Cyber Supply Chain Risk Management (C-SCRM). Authoritative information regarding the provenance and integrity of the components provides a strong basis for trust in a computing device, whether it is a client device, server, or other technology. The goal of this project is to demonstrate how organizations can verify that the internal components of their purchased computing devices are genuine and have not been tampered with or otherwise modified throughout the device's life cycle.
This project addresses several processes: (1) the processes used by original equipment manufacturers (OEMs), platform integrators, and potentially Information Technology departments to create verifiable descriptions of components and platforms; (2) how to verify devices and components within the single transaction between an OEM and a customer; and (3) how to verify devices and components at subsequent stages in the system life cycle in the operational environment. This project will use a combination of commercial and open-source tools to describe the components of a device in a verifiable manner using cryptography. Future builds of this project may cover the other critical phases of the C-SCRM. This project will result in a freely available NIST Cybersecurity Practice Guide.
Product integrity and the ability to distinguish trustworthy products is a critical foundation of Cyber Supply Chain Risk Management (C-SCRM). Authoritative information regarding the provenance and integrity of the components provides a strong basis for trust in a computing device, whether it is a...
See full abstract
Product integrity and the ability to distinguish trustworthy products is a critical foundation of Cyber Supply Chain Risk Management (C-SCRM). Authoritative information regarding the provenance and integrity of the components provides a strong basis for trust in a computing device, whether it is a client device, server, or other technology. The goal of this project is to demonstrate how organizations can verify that the internal components of their purchased computing devices are genuine and have not been tampered with or otherwise modified throughout the device's life cycle.
This project addresses several processes: (1) the processes used by original equipment manufacturers (OEMs), platform integrators, and potentially Information Technology departments to create verifiable descriptions of components and platforms; (2) how to verify devices and components within the single transaction between an OEM and a customer; and (3) how to verify devices and components at subsequent stages in the system life cycle in the operational environment. This project will use a combination of commercial and open-source tools to describe the components of a device in a verifiable manner using cryptography. Future builds of this project may cover the other critical phases of the C-SCRM. This project will result in a freely available NIST Cybersecurity Practice Guide.
Hide full abstract
Keywords
anti-counterfeiting; anti-tampering cyber supply chain risk management; asset management system; computing device; hardware assurance; hardware roots of trust; integrity; server security
Control Families
None selected
