Visible to the public Biblio

Filters: Keyword is information technology  [Clear All Filters]
2021-10-26
Raymond Richards.  2021.  Vetting Commodity IT Software and Firmware (VET) .

Government agencies and the military rely upon many kinds of Commercial Off-the-Shelf (COTS) commodity Information Technology (IT) devices, including mobile phones, printers, computer workstations and many other everyday items. Each of these devices is the final product of long supply chains involving many vendors from many nations providing various components and subcomponents, including considerable amounts of software and firmware. Long supply chains provide adversaries with opportunities to insert hidden malicious functionality into this software and firmware that adversaries can exploit to accomplish harmful objectives, including exfiltration of sensitive data and sabotage of critical operations.

Matthew Scholl.  2021.  SolarWinds and Beyond: Improving the Cybersecurity of Software Supply Chains.

Our economy is increasingly global, complex, and interconnected. It is characterized by rapid advances in information technology. IT products and services need to provide sufficient levels of cybersecurity and resilience. The timely availability of international cybersecurity standards and guidance is a dynamic and critical component for the cybersecurity and resilience of all information and communications systems and supporting infrastructures.

[Anonymous].  2021.  Information and Communications Technology Sector.

Information and Communications Technology (ICT) supply chain risk management (SCRM) is the process of identifying and mitigating risks in the manufacture and distribution of ICT products and services. While the Information Technology (IT) sector and the Communications sector face different supply chain risks, their mitigation strategies are similar. Both sectors emphasize having an end-to-end Cyber-SCRM program, continuously evaluating risks to vendor networks, and maintaining geographically-diverse and occasionally-redundant supply chains in the event of a manufacturer compromise.

2021-10-22
Sandor Boyson, Thomas Corsi, Hart Rossman, Matthew Dorin.  2011.  Assessing SCRM Capabilities and Perspectives of the IT Vendor Community: Toward a Cyber-Supply Chain Code of Practice. :1-73.

This project developed a tool to assess cyber-supply chain risk management capabilities by consolidating the collective inputs of the set of public and private actors engaged in supporting Initiative 11. The Department of Commerce (NIST and Bureau of Industry and Security, BIS), the Department of Homeland Security (DHS); the Department of Defense (DOD/CIO and DOD/NSA); and the Government Services Administration all provided formal inputs to design the assessment tool.

Jon Boyens.  2017.  The Cyber Risk Analytics Project Review Workshop. National Institute of Standards and Technology Site. 2017

The purpose of this workshop is to review with participants, sponsors, and key interested parties the findings and lessons learned from a two-year long NIST and GSA-sponsored Cyber Risk Analytics project. A team composed of professionals from the University of Maryland (UMD), Zurich Insurance, and Beecher Carlson completed the following activities:

  • Developed and field tested, with collaboration of NIST, a secure, online self-assessment tool, based on the Cybersecurity Framework; 
  • Created a breach database for survey participants by integrating the breach datasets from Advisen, RBS , the Identity Theft Resource Center, and the Center for Business and Ethics at the University of Maryland; 
  • Conducted a rigorous statistical analysis to search for significant relationships between performance results in different areas of the self-assessment tool and frequency of breaches (disaggregated by breach type). The objective was to determine specific actions initiated by the survey participants were directly associated with a reduced frequency of breach occurrence during the study period.