The top Federal intelligence community and cybersecurity agencies this week issued a new software supply chain developers guide, and said they “strongly encourage” government agencies and software providers alike to follow the guidelines in order to improve security of the software supply chain.
The new guide issued by the National Security Agency (NSA), Director of National Intelligence (DNI), and the Cybersecurity and Infrastructure Security Agency (CISA) stems from the numerous requirements laid out in President Biden’s cybersecurity executive order issued in May 2021.
The executive order sets forth new requirements to secure the Federal government’s software supply chain, including “systematic reviews, process improvements, and security standards for both software suppliers and developers, in addition to customers who acquire software for the Federal Government,” the agencies said.
The new guide was created by the Enduring Security Framework (ESF) Software Supply Chain Working Panel. The panel is a cross-sector working group operating through the Critical Infrastructure Partnership Advisory Council (CIPAC) that aims to address threats and risks to the security and stability of U.S. national security systems. Members of the panel include officials from government, and private sector officials from the information technology, communications, and defense industry base sectors.
The guidance document has three sections covering software developers, software suppliers, and software customers.
“Customers (acquiring organizations) may use this guidance as a basis of describing, assessing, and measuring security practices relative to the software lifecycle,” NSA, DNI, and CISA said.
The agencies said the suggested practices may be applied across the acquisition, deployment, and operational phases of a software supply chain.
“The software supplier (vendor) is responsible for liaising between the customer and software developer,” the agencies said. “Accordingly, vendor responsibilities include ensuring the integrity and security of software via contractual agreements, software releases and updates, notifications, and mitigations of vulnerabilities.”
The guidance features best practices and standards to help suppliers in those tasks, and NSA, DNI, and CISA emphasized that software developers are “strongly encouraged to reference” the guide’s best practices and standards.
“These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing),” the agencies said.
In stating the value of the guidelines to improving software supply chain security, the agencies reminded that the SolarWinds supply chain hack in 2020 and the log4j vulnerability that emerged this year “highlight weaknesses within software supply chains, an issue which spans both commercial and open source software and impacts both private and Government enterprises.”
“Accordingly, there is an increased need for software supply chain security awareness and cognizance regarding the potential for software supply chains to be weaponized by nation state adversaries using similar tactics, techniques, and procedures (TTPs),” the agencies said.