Connect with us

Hi, what are you looking for?


Application Security

US Gov Issues Software Supply Chain Security Guidance for Customers

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the last part of a three-part joint guidance on securing the software supply chain.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the last part of a three-part joint guidance on securing the software supply chain.

The guidance was created by the Enduring Security Framework (ESF), a cross-sector working group focused on mitigating risks to critical infrastructure and national security, and provides recommendations on software supply chain security best practices to developers, suppliers, and organizations.

The first part of the series offers recommendations for software developers, while the second part is aimed at software suppliers. The third part is aimed at the software customer, representing the organizations that purchase, deploy, and maintain software within their environments.

The document (PDF) details recommended practices customers should apply when acquiring, deploying, and using software, providing examples of attack scenarios and mitigations.

Regarding software procurement, the three agencies recommend paying attention to the organization’s requirements, including security and supply chain risk management (SCRM) activities, performing product evaluation, including evaluating software bill of materials (SBOM), and evaluating suppliers before signing contracts.

This should mitigate risks associated with acquiring products that do not meet requirements or which are plagued by vulnerabilities or have been tampered with, as well as contracting suppliers under foreign control or which have poor security hygiene.

When it comes to software deployment, customers are advised to thoroughly examine products upon receiving them, to perform functional testing and validate the product from a security perspective, establish a configuration control board (CCB) in charge of product lifecycle, ensure that the product integrates with the existing environment, and monitor updates.

Advertisement. Scroll to continue reading.

These deployment controls eliminate risks such as substituted or incomplete products, unexpected changes in functionality, the use of unverified components, the presence of dormant malware or malicious functionality, data leaks, infrastructure compromise, incomplete product reports, support issues, incomplete or false integration assessments, and potentially malicious or compromised updates.

Organizations are also advised to take proper care of products that have reached end-of-life (EoL) or which are being decommissioned, and to ensure that an effective training program is implemented for new products.

Furthermore, software customers are advised to pay attention to how a product is operated, to ensure that vulnerabilities and functionality changes are identified, that updates are applied in a timely manner, and that malicious software is eliminated before harming the organization.

Related: US Gov Issues Supply Chain Security Guidance for Software Suppliers

Related: US Gov Issues Guidance for Developers to Secure Software Supply Chain

Related: US Agencies Issue Guidance on Responding to DDoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.