Standards Crosswalk Compares NIST and ISO Standards
If you have ever felt confused by the variety of supply chain risk management standards out there, some new research may help. Led by the National Aeronautics and Space Administration Scientific and Engineering Workstation Procurement (NASA SEWP), a working group of government and industry experts compared the Open Trusted Technology Provider Standard (OTTPS) that makes up ISO 20243 and NIST Special Publication 800-161.
The central questions the resulting document focused on clarifying included:
To what extent are ISO 20243 standards applicable to NIST 800-161? Can these two standards and guidelines be mapped as to how they complement and/or contradict one another? To what extent can the ISO 20243 standards be used by agency buyers to help fulfill their obligations associated with NIST 800-161?
The crosswalk showed that there was a significant overlap of five of 12 controller enhancements and 75%-89% of the risk controls. The exercise also led to a number of conclusions that could assist federal acquisition professionals to apply existing means to partially satisfy requirements and recommendations of NIST SP 800-161 and NIST IR 7622.
Conclusions:
- The O-TTPS’s ISO 20243 SCRM Standards for “maliciously tainted and counterfeit products” standards are consistent in purpose and intent with existing and emergent federal policy materials and guidelines that have been proposed or are currently in draft format.
- The ISO 20243 SCRM Standards provides a measure of risk management agencies can use to satisfy certain portions of NIST 800-161 and NIST IR 7622.
- The ISO 20243 SCRM Standards map to between 75-89% of the supplier risk controls recommended in NIST IR 7622.
- The ISO 20243 SCRM Standards fully addresses 5 of the 12 Supply Chain Management Control Enhancements found in the existing NIST 800-161
- The ISO 20243 SCRM Standard satisfies 9 of the 12 Supply Chain Management Control Enhancements and compliments 2 of the remaining 3 controls found in the existing NIST 800-161.
- There is only one Supply Chain Management Control Enhancement Control in NIST 800-161 that ISO 20243 SCRM cannot satisfy and does not address.
The full Standards Crosswalk report can be found at www.sewp.nasa.gov/documents/OTTPS-NIST_CrossWalk_NASA_SEWP.pdf.