Intel Agencies, CISA Issue Software Supply Chain Developers Guide – MeriTalk

The federal intelligence community and cybersecurity agencies released a new guide for software supply chain developers this week and said they “strongly encourage” government agencies and software vendors to follow the guidelines. to improve software supply chain security.

The new guidance released by the National Security Agency (NSA), the Director of National Intelligence (DNI), and the Cybersecurity and Infrastructure Security Agency (CISA) stems from the many requirements outlined in President Biden’s Executive Order on Cybersecurity issued in May 2021 .

The executive order sets out new requirements to secure the federal government’s software supply chain, including “systematic reviews, process improvements, and security standards for software vendors and developers, in addition to customers who acquire software for the federal government,” the agencies said. .

The new guide was created by the Software Supply Chain Working Group of the Sustainable Security Framework (ESF). The panel is a cross-industry working group operating through the Critical Infrastructure Partnership Advisory Council (CIPAC) that aims to address threats and risks to the security and stability of America’s national security systems. Members of the group include government officials and private sector representatives from the information technology, communications and defense industry sectors.

The guidance document has three sections covering software developers, software vendors, and software customers.

“Customers (acquiring organizations) can use this guidance as a basis for describing, evaluating, and measuring security practices relating to the software lifecycle,” the NSA, DNI, and CISA said.

The agencies said the suggested practices can be applied across the acquisition, deployment, and operation phases of a software supply chain.

“The software vendor (vendor) is responsible for liaising between the customer and the software developer,” the agencies said. “As a result, vendor responsibilities include ensuring software integrity and security through contractual agreements, software releases and updates, notifications, and vulnerability mitigations.”

The guide outlines best practices and standards to help vendors with these tasks, and the NSA, DNI and CISA emphasized that software developers are “strongly encouraged to reference” the guide’s best practices and standards.

“These principles include planning for security requirements, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g. , environments, source code review, testing),” the agencies said.

Pointing to the value of the guidelines for improving software supply chain security, the agencies recalled that the 2020 SolarWinds supply chain hack and the log4j vulnerability that emerged this year “highlight weaknesses in software supply chains, an issue that spans both commercial and open source software and impacts both private and government companies.

“As a result, there is an increased need for awareness of software supply chain security and knowledge of the potential for militarization of software supply chains by adversaries of nation states using tactics, techniques and procedures (TTP ) similar,” the agencies said.

Next Hedera (HBAR) rebounds from September 1 drop