This content is for members only. Please and try your request again.

Nextgov: NIST’s Supply-Chain Security Guidance Tells Agencies: Look to FedRAMP First

“All presidential administrations going back to President Barack Obama have pushed federal agencies to make greater use of cloud service providers in order to reduce costs, and FedRAMP has been their way of checking that security isn’t sacrificed in the process. It involves third-party certification of cloud providers’ security practices and is a required step for any agency looking to purchase cloud services. However, the program is not fully enforced or monitored for compliance by the Office of Management and Budget, according to GAO.

‘The external system service providers discussed in this publication include cloud service providers,’ NIST’s revised guidance reads. ‘This publication does not replace the guidance provided with respect to federal agency assessments of cloud service providers’ security. When applying this publication to cloud service providers, federal agencies should first use Federal Risk and Authorization Program cloud services security guidelines and then apply this document for those processes and controls that are not addressed by FedRAMP.’…”

“The guidance released Thursday is aimed at organizations buying and implementing software, and other supply-chain elements, into their environments.

‘The primary audience for the revised publication is acquirers and end users of products, software and services,’ NIST wrote in a press release. ‘The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities, such as the sources of code within a product, for example, or retailers that carry it.’…” Read the full article here.

Source: NIST’s Supply-Chain Security Guidance Tells Agencies: Look to FedRAMP First – By Mariam Baksh, May 5, 2022. Nextgov.


This topic has 0 replies, 1 voice, and was last updated 3 weeks, 1 day ago by Jackie Gilbert.

Viewing 1 reply thread

You must be logged in to reply to this topic.


Questions?. Send us an email and we'll get back to you, asap.

G2Xchange FedCiv

Log in with your credentials
for G2Xchange Health

Forgot your details?