The US cybersecurity agency CISA, the NSA, and the Office of the Director of National Intelligence (ODNI) on Thursday released new guidance for software vendors and suppliers on securing the software supply chain.
The document (PDF) can help organizations assess their security measures throughout the software lifecycle, including managing open source software (OSS) and software bills of materials (SBOM), and provides recommendations that can be applied across different phases of the software supply chain.
The new counseling comes roughly one year after CISA, NSA, and ODNI released a three-part joint guidance on how software developers, suppliers, and customers can secure the supply chain and aims to increase the resilience of development, production, distribution, and management processes.
“All organizations are encouraged to proactively manage and mitigate risks as a part of evolving secure software development practices. An organization’s role as a developer, supplier or customer of software in the software supply chain lifecycle will continue to determine the shape and scope of this responsibility,” the three agencies note.
The document provides guidance on implementing SBOM processing, assessing the risk of identified vulnerabilities, taking specific steps to avoid the exploitation of a vulnerability, requesting new SBOMs for updated software, and other actions organizations should take when it comes to efficient SBOM consumption.
According to the new guidance, SBOMs represent a central component in software security and software supply chain risk management, and may be correlated with other data to increase their value and scope and to create risk scores that enable timely action.
“An SBOM conveys information about what is in the software. The mere act of knowing that a supplier can provide a quality SBOM offers benefits to the software user, since it offers a certain level of confidence that the software supplier is more likely to be able to respond to supply chain concerns,” the document reads.
SBOMs, the three agencies note, have become critically important as they show if the software is up-to-date, provide information on the use of open source software, help ensure compliance, and can help reduce the exposure window, once a vulnerability has been identified.
Customers need to consume thousands of SBOMs to understand their risk exposure, and fully leveraging the potential of SBOMs requires automated SBOM processing, analysis, and correlation, as well as turning SBOM data into security intelligence, CISA, NSA, and ODNI note.
“Data from SBOMs feeds into many enterprise workflows, including procurement, asset management, vulnerability management, and overarching supply chain risk management and compliance functions. Therefore, the SBOM is often less useful as a file than as a collection of data that can be parsed, extracted, and loaded into automated processes,” the guidance reads.