The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) presented the third and final installment of a three-part joint guideline on safeguarding the software supply chain this week.
The Enduring Security Framework (ESF), a cross-sector working group focusing on minimizing threats to vital infrastructure and national security, developed the advice, which offers suggestions to developers, suppliers, and organizations on software supply chain security best practices.
The first installment of the series provides guidelines for software developers, while the second is for software vendors.
The third section is focused at software customers, who are businesses that buy, install, and manage software in their environments.
The paper (PDF) outlines recommended procedures for consumers to follow when purchasing, implementing, and utilizing software, as well as illustrations of attack scenarios and mitigations.
Before signing contracts, the three agencies advise paying attention to the organization's needs, including security and supply chain risk management (SCRM) operations, completing product assessment, including analyzing software bill of materials (SBOM), and evaluating suppliers.
This should reduce the dangers of procuring items that do not meet criteria, are vulnerable, or have been tampered with, as well as dealing with suppliers under foreign control or with poor security hygiene.
Customers are urged to properly inspect goods upon receipt, to undertake functional testing and security validation, to construct a configuration control board (CCB) in charge of product lifetime, to verify that the product interfaces with the current environment, and to monitor updates.
Substituted or missing goods, unexpected changes in functionality, the usage of unverified components, the inclusion of latent malware or harmful functionality, data breaches, compromised infrastructure, incomplete product reports, support difficulties, incomplete or false integration assessments, and possibly malicious or compromised upgrades are all hazards that are mitigated by these deployment controls.
Organizations are also recommended to properly care for items that have reached end-of-life (EoL) or are being decommissioned, as well as to develop an effective training program for new products.
Furthermore, software consumers should pay attention to how a product is used to ensure that vulnerabilities and feature changes are recognized, updates are deployed in a timely way, and malicious software is removed before causing damage to the business.