ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) released Securing the Software Supply Chain: Recommended Practices Guide for Suppliers. The product is through the Enduring Security Framework (ESF) — a public-private cross-sector working group led by NSA and CISA that provides cybersecurity guidance to address high priority threats to the nation’s critical infrastructure.

In an effort to provide guidance to suppliers, ESF examined the events that led up to the SolarWinds attack, which made clear that investment was needed to create a set of industry and government evaluated best practices focusing on the needs of the software supplier.

Cyberattacks target an enterprise’s use of cyberspace to disrupt, disable, destroy, or maliciously control a computing environment or infrastructure, destroy the integrity of data, or steal controlled information. A malicious actor can take advantage of a single vulnerability in the software supply chain and have a severe negative impact on computing environments or infrastructure.

Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.

Software suppliers will find guidance from NSA and our partners on preparing organizations by defining software security checks, protecting software, producing well-secured software, and responding to vulnerabilities on a continuous basis. Until all stakeholders seek to mitigate concerns specific to their area of responsibility, the software supply chain cycle will be vulnerable and at risk for potential compromise.