Jon Boyens: Software Supply Chain Management a Key Focus for NIST

The deputy chief of the National Institute of Standards and Technology’s computer security division said the agency has been updating its software supply chain guidance to ensure that cyberthreats are kept at bay.

In a Federal News Network interview, Jon Boyens shared that the NIST started focusing on the software aspect of supply chain risk management through Executive Order 14028 following the SolarWinds hack. According to Boyens, the agency has put a significant focus on software bills of materials because of their importance in identifying critical or risky components and providers.

Boyens said it is crucial to understand the importance of using and creating software SBOMs, noting that organizations can only realize the bill’s importance if they use it. He added that organizations should also augment SBOMs with a more comprehensive vulnerability management program, Federal News Network reported.

The NIST official’s efforts come after the Cybersecurity and Infrastructure Security Agency released new guidance for information and communications technology supply chain risk management plan creation. The guidance gives small and medium-sized businesses, as well as their technology suppliers and integrators, eight key steps for developing a resilience-center SCRM plan.