US Gov Issues Software Supply Chain Security Guidance for Customers

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the last part of a three-part joint guidance on securing the software supply chain.

The guidance was created by the Enduring Security Framework (ESF), a cross-sector working group focused on mitigating risks to critical infrastructure and national security, and provides recommendations on software supply chain security best practices to developers, suppliers, and organizations.

The first part of the series offers recommendations for software developers, while the second part is aimed at software suppliers. The third part is aimed at the software customer, representing the organizations that purchase, deploy, and maintain software within their environments.

The document (PDF) details recommended practices customers should apply when acquiring, deploying, and using software, providing examples of attack scenarios and mitigations.

Regarding software procurement, the three agencies recommend paying attention to the organization’s requirements, including security and supply chain risk management (SCRM) activities, performing product evaluation, including evaluating software bill of materials (SBOM), and evaluating suppliers before signing contracts.

This should mitigate risks associated with acquiring products that do not meet requirements or which are plagued by vulnerabilities or have been tampered with, as well as contracting suppliers under foreign control or which have poor security hygiene.

When it comes to software deployment, customers are advised to thoroughly examine products upon receiving them, to perform functional testing and validate the product from a security perspective, establish a configuration control board (CCB) in charge of product lifecycle, ensure that the product integrates with the existing environment, and monitor updates.

These deployment controls eliminate risks such as substituted or incomplete products, unexpected changes in functionality, the use of unverified components, the presence of dormant malware or malicious functionality, data leaks, infrastructure compromise, incomplete product reports, support issues, incomplete or false integration assessments, and potentially malicious or compromised updates.

Organizations are also advised to take proper care of products that have reached end-of-life (EoL) or which are being decommissioned, and to ensure that an effective training program is implemented for new products.

Furthermore, software customers are advised to pay attention to how a product is operated, to ensure that vulnerabilities and functionality changes are identified, that updates are applied in a timely manner, and that malicious software is eliminated before harming the organization.

Related: US Gov Issues Supply Chain Security Guidance for Software Suppliers

Related: US Gov Issues Guidance for Developers to Secure Software Supply Chain

Related: US Agencies Issue Guidance on Responding to DDoS Attacks