Oct 14 2022

Agencies Shifting to Zero Trust Contend with New IT Supply Chain Best Practices

As the federal government bolsters cybersecurity, IT leaders are urged to treat technology suppliers with caution.

Nearly two years after the SolarWinds cyberattack forced the government to bolster IT supply chain security, federal agencies continue sorting out how to implement and enhance those protections.   

The December 2020 attack, attributed to Russian foreign intelligence, compromised nine agencies with malicious software embedded in via legitimate updates. Since then, various federal agencies have issued guidance on how to enhance IT supply chain security.

The panoply of requirements and recommendations — from agencies such as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Government Accountability Office (GAO) — all aim to increase the trust and integrity of the hardware and software agencies use.

As agencies move to adopt zero-trust architectures for cybersecurity, the software and IT supply chain security measures they are starting to implement will go hand in hand with their zero-trust efforts, experts say.

Since zero-trust principles require agencies to verify anything and everything that attempts to establish access to their systems, services and networks, IT supply chain verification protocols complement and reinforce those initiatives.

“Zero trust principles can support a more secure supply chain and, in the event of an attack, could help limit the impact,” Jennifer Franks, a director in GAO’s Information Technology and Cybersecurity team, tells FedTech.  

Zero-Trust Envrionment

Understanding IT Supply Chain Best Practices for Agencies

In early 2021, as the White House and cybersecurity leaders were working to assess the damage from the SolarWinds attack, they were also developing policies they hoped would prevent a similar vulnerability from being exploited in the future.

Many of their ideas can be found in the cybersecurity executive order President Joe Biden issued in May 2021, which has since spawned new policies and best practices. CISA, NIST, GAO and others have released a bevy of IT supply chain security best practices and guidance.

CISA developed an edition of CISA Insights titled “Risk Considerations for Managed Service Providers” to help organizations “make risk-informed decisions to mitigate third-party risk as they determine the best solutions for their unique needs in order to improve software assurance,” a CISA official tells FedTech. The framework includes a risk considerations checklist that could be adapted by any organization seeking to reduce and mitigate security risks.

Meanwhile, after consulting with CISA and the Office of Management and Budget, NIST published guidance outlining security measures for critical software by July 11, 2021. By that same date, after consulting with the National Security Agency (NSA), NIST published guidelines recommending minimum standards for vendor testing of software source code

In February 2022, NIST issued the Secure Software Development Framework (SSDF), which is designed to “help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences,” according to NIST.

Organizations should ensure that their people, processes and technology are prepared to:

  • perform secure software development
  • protect all components of their software from tampering and unauthorized access
  • produce well-secured software with minimal security vulnerabilities in its releases
  • identify residual vulnerabilities in their software releases, respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future

In September, OMB released guidance titled “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.” The guidance, Federal CISO Chris DeRusha writes in a blog post, “directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.”

Click on the banner below to learn more about cybersecurity solutions.

How IT Supply Chain Security Intersects with Zero Trust

While not an exhaustive list of all of the federal guidelines on IT supply chain security, all of the aforementioned pieces of guidance focus on verifying that all agencies’ software comes from trusted sources and meets security standards designed to prevent tampering.

As agencies work to implement this guidance and move toward adopting a zero-trust architecture by the end of fiscal year 2024, those efforts will be mutually reinforcing, experts say.

The push to zero trust involves all entities in the IT supply chain, including component providers, original equipment manufacturers, service providers and end-user customers in both the public and private sector, the CISA official says.

“Each portion of the network could be required to provide capabilities that would facilitate the implementation of one or more tenets” of a zero-trust architecture, the official says.

The emphasis zero trust places on monitoring the supply chain “means that, while not every attack can be prevented, it is more likely to be identified before considerable damage occurs,” the official adds.

EXPLORE: How master data management guides agencies through supply chain difficulties.

In September 2022, the NSA, the Office of the Director of National Intelligence and CISA released guidance titled “Securing the Software Supply Chain: Recommended Practices for Developers” to help software developers create a more secure software supply chain, GAO’s Franks says. Developed by the cross-sector, public-private group Enduring Security Framework, the guide is in line with industry best practices and principles.

The guidance says software requirements should account for security criteria that are based on zero-trust principles, Franks says. It also says software should be integrated using zero-trust principles as recommended in NIST’s zero-trust architecture documentation.

“Trust should not be implied, and therefore critical components and functions should check usage and access rights within the code and only use escalated privileges when necessary,” Franks says.

Bob Stevens, area vice president of public sector at software firm Gitlab, says zero trust fundamentally is about moving security “left.” In other words, it should be a part of the development lifecycle of IT hardware and software rather than being added after those products are created.

“In the case of developing software, you’re moving security to every line of code that’s written, versus taking the application at the end and putting it through some scanning tool,” he says.

SeventyFour/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.