The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have released Defending Against Software Supply Chain Attacks, a document containing information on software supply chain risks and providing guidance on the application of frameworks from NIST for cyber supply chain risk management and secure software development.
CISA said Monday that its Defending Against Software Supply Chain Attacks publication warns against the consequences of attacks to an organization's software supply chain, including privileged and persistent access to a victim network, and lists measures that can help prevent and mitigate attacks and enhance supply chain resilience.
According to the document, software customers are advised to create and execute a program for managing identified vulnerabilities and to employ resilience measures for limiting the impact of a successful attack against a vulnerable software.
It cited NIST's key practices for applying a cyber supply chain risk management approach, including establishing a C-SCRM program and integrating it across the organization, knowing and managing critical components, collaborating with key suppliers and including them in resilience and improvement efforts, and planning for the full life cycle.
For software vendors, the document recommends preparing for secure software development by defining security requirements, automating developer and security toolchains, creating criteria and processes for data collection for security evaluations. Suppliers are also encouraged to establish SSDF roles and responsibilities within the software development life cycle.
CISA said vendors are encouraged to take a systems security engineering approach to safeguard their development infrastructure and implement NIST's SSDF to protect the cyber supply chain from malicious software content or vulnerabilities.