Keep Software Supply Chains Secure With New Federal Guidance

NIST also updated its Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Special Publication 800-161 Revision 1), which provides best practices for agencies to identify, assess and mitigate cybersecurity risks throughout their supply chains.

Jon Boyens, deputy chief of NIST’s computer security division, says the updated guidance will help agencies implement cybersecurity supply chain risk management (C-SCRM). “It is a big document, but we wanted to put it all in one place for the different stakeholders, whether you’re a contracting officer developing a system, an operational information security person or in the CIO shop developing policies,” he says.

In a complementary effort, CISA, NSA and the Office of the Director of National Intelligence (ODNI) have recently published three guidelines for software developers, suppliers and customers. For customers, such as government agencies and private sector companies, the guidance covers recommended best practices from procurement and deployment to operations.

EXAMINE: How to keep federal supply chains resilient and secure. 

The Importance of Supply Chain Security

In the federal sector, supply chain security is critical because the government’s day-to-day operations are increasingly digitized and software-based. With agencies and the private sector doing a better job of securing their perimeters, threat actors are forced to find vulnerabilities in the supply chain that allow access into organizations, Boyens says.

For example, the Log4j vulnerability caused a massive security crisis worldwide when it was discovered in December 2021. Log4j, a popular open-source Apache logging framework, is widely used in enterprise and web applications.

“Supply chain security is a high priority because – as you’ve seen in the latest published attacks of Log4j and SolarWinds – open-source and commercial components can include substantial and far-reaching vulnerabilities,” says Carol Lee, director of the NSA’s Center for Assured Software.

The software supply chain encompasses everything needed to produce software, from custom code, open-source software and cloud services to developers and DevOps teams. So, the supply chain not only includes the finished product, but also components developed elsewhere.

Internal & External Measures of Supply Chain Security

NIST SP 800-161 Revision 1 offers three levels of best practices. The essential foundational practices include creating a Program Management Office for C-SCRM that’s equal in stature to C-suite executives. It must also oversee the development of strategies and policies that will funnel down throughout the organization, Boyens says.

“Many people think C-SCRM is all outside the organization, the supplier relationships, but a lot of it is internal processes,” he says.

Another foundational best practice is to develop an incident management program to identify, respond to and mitigate security incidents, including the ability to identify root causes and whether incidents originated from the supply chain. According to NIST, agencies should also establish internal processes and a governance capability that requires suppliers and service providers to actively identify and disclose vulnerabilities in their products.

Next, agencies can adopt a second tier of “sustaining” practices, which include integrating supply chain risk management requirements into contracts with suppliers, says Boyens. These may include testing to ensure products are secure, requiring suppliers to adopt specific security practices or requiring their suppliers to meet certain requirements. 

“What separates C-SCRM from traditional information security is visibility, understanding and control,” Boyens says. “You have control within your organization, but you have very little control outside the organization. The only way you can get that control with the supply chain is through the contracting process.”

Finally, agencies can implement a third set of “enhancing” practices, including the use of automation and metrics to better manage C-SCRM processes.

LEARN MORE: Reduce supply chain cybersecurity risks with updated GSA standards.

A Three Layered Approach to Protecting Your Supply Chain

In November, CISA, NSA and ODNI published guidelines to help customers safeguard the software supply chain. That followed previously released guidelines for software developers and suppliers.

“All three communities need to work together to protect our software supply chain,” Lee says.

The guidance was developed by the Enduring Security Framework, a public–private working group led by NSA and CISA.

To mitigate risks, best practices include requiring software suppliers to provide a software bill of material, an inventory of all the software components that make up an application, Lee says. Developers, suppliers and customers should continually verify the contents of the SBOM against known vulnerability databases, such as NIST’s National Vulnerability Database for new threats to the components.

“When you buy a Twinkie, it comes with a list of ingredients. Yet, the software we use in our critical infrastructure and civilian government systems doesn’t have the same basic level of transparency that we would expect from a nonbiodegradable snack,” says Allan Friedman, senior adviser and strategist at CISA. “Implementing this is key.”

For example, when the Log4j vulnerability was discovered, organizations that had required SBOMs immediately knew which of their applications used the open-source component. That enabled them to remediate and install patches faster and more efficiently, while everyone else had to rely on manual processes, says Friedman.

Other best practices include:

• Checking hashes, signatures and certifications to verify the integrity of the software delivered
• Performing security, environmental and functionality tests on software
• Requiring suppliers to notify agencies of changes in ownership and geolocation, as well as cyber incidents and investigations.

Once software is deployed, agencies should use security tools to continuously monitor their applications. Users should also be trained to identify and report bugs and anomalous behavior.

“There is a lot of information in the guidance,” Lee says. “The key point is to get started, start with one security activity and keep improving over time to protect the software that can affect us all.”

The Role of Zero Trust

The Department of Defense is leading the charge in securing its software supply chain. Yet, by implementing NIST and other best practices, other agencies can improve their ability to stay ahead of threats, Boyens says.

For instance, moving beyond perimeter-based security to adopt a zero-trust architecture goes hand in hand with the software supply chain measures that agencies must implement, he says.  

Among other elements, zero trust requires strict access controls, user authentication and continuous monitoring of networks and systems. That means that even if a vulnerability exists in the supply chain, a zero-trust approach may help prevent a security breach, says Boyens.

“The goal is to become more resilient,” he says. “By segmenting areas through zero trust, adversaries can’t move laterally.”

EXPLORE: Master data management guides agencies through supply chain difficulties.