Updated on 2022-11-17: Securing the Supply Chain Guidance for Customers
The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence have published Securing Software Supply Chain Series – Recommended Practices Guide for Customers. The publication is the third in a series of guidance manuals for supply chain security; guidance for developers was released in August and guidance for suppliers was released in October.
- With increased supply chain risk focus and regulatory requirements, you should be incorporating all the guidance you can find into your planning and response. These are intended for customers to leverage as a basis for assessing, describing and measuring security practices relatively to the software lifecycle. The customer slicksheet provides suggestions for requests you can make of suppliers to help reduce your risk. While likely more effective in a paid environment, don’t hesitate to leverage these to increase the integrity of open-source software leveraged.
- This is a supplier problem. It will not be fixed by customers. Too many suppliers, too many updates, too obscure.
Read more in
- Securing the Software Supply Chain | Recommended Practices Guide for Customers (PDF)
- Securing the Software Supply Chain: Customers (fact sheet PDF)
- CISA, NSA, and ODNI Release Guidance for Customers on Securing the Software Supply Chain
- Latest Guidance Outlines Customer Responsibilities for Software Security
Updated on 2022-11-01
The NSA, CISA, and the Office of the Director of National Intelligence (ODNI) released a new set of suggested practices that software vendors can follow to secure the supply chain. Read more: ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers
Overview: NSA, CISA, and ODNI Publish Software Supply Chain Security Guidelines
The US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released software supply chain security guidance for vendors. The document was developed through the Enduring Security Framework (ESF) public-private cross-sector working group. It grew out of analysis of the events leading up to the SolarWinds supply chain attack in December 2020. ESF released a version of the guidance for developers earlier this year, and expects to release another for customers.
- The latest guide starts off with the first sentence emphasizing essential security hygiene (“Unmitigated vulnerabilities in the software supply chain pose a significant risk to organizations.”) and throughout makes the point that in order to implement higher levels of supply chain security, you need that foundation of vulnerability management, configuration control and privilege management (such as at least Tier 2 of the NIST Cybersecurity Framework or Implementation Group 1 of the CIS Critical Security Controls) in order to be able to perform due diligence on what your software supply chain is supplying you with.
- While this is a non-trivial problem to get your arms around, the ESF is working to simplify it by focusing on three areas: Software Developers, Software Suppliers (vendors) and Software Consumers (acquiring organizations), and is releasing guidance documents specific to each. The intent is to assist customers in describing, assessing and measuring security practices relevant to software lifecycle. Software security via contractual agreements (which includes updates, addressing vulnerabilities and mitigations) is intended to be a vendor responsibility. Developer guidance includes the dreaded security requirements planning, adding security features and maintaining the integrity of the underlying infrastructure, which includes source code review and testing. This division should help you focus on the areas you can affect as well as know what to look for overall.
- It’s hard to imagine initiatives like this trimming the number of supply chain security incidents, but this could definitely help organizations triage and react when there’s an issue with an upstream software package. You can’t fix it if you don’t know you have it.
- This guidance is aimed at suppliers rather than purchasers. It is essential that suppliers be responsible for excluding malicious code from their deliveries.
Read more in