Dec 13 2022

CISA Offers New Guidance on Supply Chain Security for Customers

The last of the agency’s three-part series on securing the software supply chain focuses on the role of customers.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) has published the third in a three-part series on securing the software supply chain. The last part of the series, titled “Securing the Software Supply Chain: Recommended Practices Guide for Customers,” follows the August 2022 release of guidance for developers and the October 2022 release of guidance for suppliers.

The series is an output of the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA. The series complements other U.S. government efforts underway — such as the software bill of materials (SBOM) community — to help the software ecosystem secure the supply chain.

The new guidance, along with its accompanying fact sheet, provides recommended practices for software customers to ensure the integrity and security of software during the procuring and deployment phases.

Click the link to receive curated content by becoming an Insider.

The Possible Threats That Come With Procurement and Acquisition

There are possible threats and potential mitigation measures at each stage of the software supply chain. At the first stop, procurement and acquisition, threats are numerable without proper product evaluation. Undocumented features, malicious or risky code, and vulnerable code or components could leave openings for bad actors to compromise machines and spread malicious programs. A product also could have changed ownership or control, leaving assessors unable to properly evaluate it. Limited or no visibility into product components or requirements leaves assessors unable to make informed decisions and proper evaluations.

Mitigating these threats involves a thorough product evaluation, which ensures that software complies with standards. During product evaluation, CISA stresses the importance of verifying the contents of the SBOM against the product under evaluation. Other mitigation measures include using the same evaluation on third-party suppliers identified in the SBOM and continuously vetting external evaluation labs and verifying their independence.

DISCOVER: CISA's plan to enhance security for federal civilian email systems.

How to Protect Yourself During Deployment

Deployment is the next stage of the cycle, and it should only come after taking appropriate precautions prior to accepting a product from a supplier or developer. At this point, functional testing of the product opens organizations up to several threats, such as product functionality unknowingly changing or the product containing unverified or unknown components. To protect yourself from these unknowns, CISA recommends saving and storing the tests and test environment for future reference and use, as well as verifying the contents of the SBOM against the product under evaluation.

After evaluation, the next step of the deployment stage is integration, where IT teams establish processes for implementation and subject the product to further testing, such as interoperability and production security testing. Vulnerabilities at integration include undocumented software modifications or a supplier’s inability to support the product after customer modifications, as well as products that hide malicious functionality. Internal product modifications, where testers use their own tools rather than the enterprise tools under which the product will be deployed, constitute another threat at this point. Mitigating threats during integration should include using multilayered defenses (such as zero trust), using test credentials instead of real IDs during testing, making the test environment as realistic as possible, and continuously monitoring and reviewing the test environment.

REVIEW: Why zero trust isn’t just a goal, it’s a mindset.

How to Best Maintain the Security of Software Operations

Once a product is evaluated, tested and deployed, the end user or other responsible parties must contribute to maintaining the security of the software enterprise. At this point, environments are vulnerable when anomalous behavior (which may indicate security exposures) isn’t noticed or reported by users.

To mitigate threats, CISA says customers need policies and mechanisms to recognize and mitigate threats encountered through the software. This means users should report any bugs or anomalies to their IT departments as soon as possible. Customers also must teach employees how to recognize and report potential threats. Additionally, customers need the ability to disable or isolate a particular product, and they should have a way to inform all users of product anomalies and security threats.

shaunl/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT