Understanding IT Supply Chain Best Practices for Agencies
In early 2021, as the White House and cybersecurity leaders were working to assess the damage from the SolarWinds attack, they were also developing policies they hoped would prevent a similar vulnerability from being exploited in the future.
Many of their ideas can be found in the cybersecurity executive order President Joe Biden issued in May 2021, which has since spawned new policies and best practices. CISA, NIST, GAO and others have released a bevy of IT supply chain security best practices and guidance.
CISA developed an edition of CISA Insights titled “Risk Considerations for Managed Service Providers” to help organizations “make risk-informed decisions to mitigate third-party risk as they determine the best solutions for their unique needs in order to improve software assurance,” a CISA official tells FedTech. The framework includes a risk considerations checklist that could be adapted by any organization seeking to reduce and mitigate security risks.
Meanwhile, after consulting with CISA and the Office of Management and Budget, NIST published guidance outlining security measures for critical software by July 11, 2021. By that same date, after consulting with the National Security Agency (NSA), NIST published guidelines recommending minimum standards for vendor testing of software source code.
In February 2022, NIST issued the Secure Software Development Framework (SSDF), which is designed to “help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences,” according to NIST.
Organizations should ensure that their people, processes and technology are prepared to:
- perform secure software development
- protect all components of their software from tampering and unauthorized access
- produce well-secured software with minimal security vulnerabilities in its releases
- identify residual vulnerabilities in their software releases, respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future
In September, OMB released guidance titled “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.” The guidance, Federal CISO Chris DeRusha writes in a blog post, “directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.”