Comments Wanted on New NCCoE Project to Improve Supply Chain Cybersecurity


The National Cybersecurity Center of Excellence (NCCoE) is excited to announce the release of the new draft project description, Validating the Integrity of Servers and Client Devices, and is seeking feedback from the public to help refine the challenge and scope of the project. The comment period is now open and will close on January 6, 2020.

What is this project about?

Organizations today face the challenge of identifying trustworthy products due to increased risk resulting from compromises in cyber supply chains. Cyber Supply Chain Risk Management is an evolving approach to modernizing information technology (IT) systems, as information and operational technologies rely on complex, globally distributed and interconnected, supply chain ecosystems to provide highly refined, cost-effective, and reusable solutions.

The goal of this project is to provide guidance that will help organizations verify that the internal components of their purchased computing devices are genuine and have not been altered during the manufacturing and distribution processes. Additionally, this project will demonstrate the creation of manufacturing artifacts, verification of components during device acceptance testing, and verification of device state during use of personal computing devices with hardware roots of trust.

The solution will use security controls that adhere to the NIST Cybersecurity Framework, industry standards, and best practices. The project will result in a freely available NIST Cybersecurity Practice Guide, documenting an example solution that demonstrates how to integrate verifiable artifacts with existing enterprise IT management systems into your organizations.

The public comment period is now open. Please read the project description and submit your feedback by January 6, 2020.

If you are interested in joining this Community of Interest to stay up-to-date on the progress of this project and to provide additional feedback, email us at

We value and welcome your input.

After this project description is finalized, NCCoE cybersecurity experts will collaborate with vendors of cybersecurity technologies to develop a reference design addressing this challenge.