Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Regulation, Standards and Compliance
Supply Chain Security
Threat Landscape

NSA, CISA, ODNI roll out recommended practices guidance for software suppliers

November 01, 2022
NSA, CISA, ODNI roll out recommended practices guidance for software suppliers

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) published Monday a document that works towards minimizing the impacts of threats to the software supply chain. The latest guidance focuses on providing advice to software suppliers and is the second release in the software supply chain series from the Enduring Security Framework, which details supplier responsibilities when addressing vulnerabilities and mitigations. 

The document titled “Securing the Software Supply Chain: Recommended Practices for Suppliers” has been developed through the Enduring Security Framework. This public-private partnership works to address threats to U.S. national security systems and critical infrastructure. The document contains recommended best practices and guidance for suppliers in various tasks, including designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure. 

The document supports cybersecurity professionals in achieving the goals outlined in U.S. President Joe Biden’s Executive Order 14028, which established new requirements to secure the federal government’s software supply chain. These demands involve systematic reviews, process improvements, and security standards for software suppliers and developers, and customers who acquire software for the federal government. 

The Enduring Security Framework software supply chain working panel established the guidance to serve as a compendium of suggested practices for developers, suppliers, and customer stakeholders to help ensure a more secure software supply chain. It is organized into a three-part series, with the first part focusing on software developers, the second concentrating on software suppliers, and the last covering software customers. 

The first part of the series was released in early September, covering actionable guidance for software supply chain development, production, distribution, and management processes, raising the resiliency of these processes against compromise. All organizations are responsible for establishing software supply chain security practices to mitigate risks. Still, the organization’s role in the software supply chain lifecycle determines the shape and scope of the responsibility.

The third part of the series that will focus on the software customer (acquiring organizations) part of the software supply chain lifecycle is still pending release. However, on the whole, the series will help foster communication between the software developers, software suppliers, and the software customer, and among cybersecurity professionals that may facilitate increased resiliency and security in the software supply chain process. 

“In an effort to provide guidance to suppliers, ESF examined the events that led up to the SolarWinds attack, which made clear that investment was needed to create a set of industry and government-evaluated best practices focusing on the needs of the software supplier,” the NSA said in a media statement. “Cyberattacks target an enterprise’s use of cyberspace to disrupt, disable, destroy, or maliciously control a computing environment or infrastructure, destroy the integrity of data, or steal controlled information. A malicious actor can take advantage of a single vulnerability in the software supply chain and have a severe negative impact on computing environments or infrastructure.”

The NSA holds that the supplier is responsible for ensuring software security and integrity. After all, the software vendor is responsible for liaising between the customer and the software developer. Through this relationship, additional security features can be applied using contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.

Customers (acquiring organizations) may use the guidance as a basis of describing, assessing, and measuring security practices relative to the software lifecycle. Additionally, suggested practices listed herein may be applied across a software supply chain’s acquisition, deployment, and operational phases. Finally, the software supplier (vendor) is responsible for liaising between the customer and software developer. Accordingly, vendor responsibilities include ensuring the integrity and security of software via contractual agreements, software releases and updates, notifications, and mitigations of vulnerabilities. 

Software suppliers will find guidance from NSA and partners on preparing organizations by defining software security checks, protecting software, producing well-secured software, and responding to vulnerabilities continuously. However, until all stakeholders seek to mitigate concerns specific to their area of responsibility, the software supply chain cycle will be vulnerable and at risk for potential compromise.

The guidance for software suppliers in the software supply chain comes when CISA released voluntary, non-comprehensive cross-sector cybersecurity performance goals (CPGs) to help establish a standard set of fundamental cybersecurity practices for the critical infrastructure sector. These benchmark goals will benefit small and medium-sized organizations as they kick-start their cybersecurity efforts.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations