NIST Releases Software Supply Chain Security Guidance in Response to EO 14028
On May 12, 2022, the National Institute of Standards and Technology’s (“NIST”) Information Technology Laboratory released its “Software Supply Chain Security Guidance (“Guidance”) in accordance with President Biden’s directives in Executive Order 14028—Improving the Nation’s Cybersecurity (“EO 14028”).
Pursuant to EO 14028, the Secretary of Commerce is to solicit input from various actors, including the federal government, private sector, and academia to identify best practices for evaluating software security, establishing criteria for evaluating security practices of the developers and suppliers, and identifying “innovative tools or methods to demonstrate conformance with secure practices.”
The Guidance applies to federal agencies that “acquire, deploy, use, and manage software from open-source projects, third-party suppliers, developers, system integrators, external system service providers, and other information and communications technology (ICT)/operational technology (OT)-related service providers.” In addition, organizations in all sectors of all industries can use the Guidance to establish and maintain policies and procedures for managing third-party software vulnerabilities.
EO 14028 makes clear that these practices are not a requirement but encourages [organizations] to seriously consider the following practices:
Require that the businesses who supply organizations with software products and services produce a Software Bill of Materials (“SBOM”).
SBOM is defined as a “formal record containing the details and supply chain relationships of various components used in building software” akin to the ingredients on food labels.
The provided benefits of receiving a SBOM from a software provider is “increased transparency, provenance, and speed at which vulnerabilities can be identified and remediated by federal departments and agencies.”
The Guidance recommends that the SBOM “conform to industry standard formats, including SPDX, CycloneDX, and SWID. At a minimum, SBOMs must contain the following elements:
Data fields providing “baseline information” on the data that is being tracked;
Automation support that can be scaled across the organization’s entire software ecosystems; and
Definition of the SBOM’s practices and processes, including those used for requests, generation, and use.
Implement enhanced vendor risk assessments.
In addition to the enhanced scrutiny of software vendors that is being assessed by EO 14028, the Guidance recommends the following:
“Perform additional scrutiny on vendor SDLC capabilities, security posture, and risks associated with Foreign Ownership, Control, or Influence;
Requiring vendors to “self-attest” to adopting the practices that are in conformity with the NIST’s Secure Software Development Framework (“SSDF”) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities; and
Require verification of signatures for vendor-supplied software installations and updates.
Establish open-source software controls.
Utilize SSDF to “identify any publicly known vulnerabilities of supplied open source software components,” such as Software Composition Analysis (“SCA”);
Ensure that providers utilize procedural and technical controls that create “secure channels from trustworthy repositories” to obtain their open source software components;
Both organizations and their providers should review the open source software for any vulnerable components by utilizing binary software composition analysis; and
“Prioritize the use of programming languages and frameworks that have built-in guardrails to proactively mitigate common types of vulnerabilities.”
Manage vulnerabilities.
Require the demonstrated adoption of SSDF to ensure that the following processes have been properly implemented: “effective change control, automation, robust CI/CD, and DevSecOps practices to mitigate and report common vulnerabilities in accordance with RV practices”;
Ensure that providers have a formal and publicly available avenue for public notification of uncovered vulnerabilities;
Adhere to the following:
ISO/IEC 30111, Information technology — Security techniques — Vulnerability handling processes; and/or
“[A] coordinated vulnerability disclosure (CVD) practice to ensure that federal departments and agencies are able to remediate vulnerabilities in a timely manner.”
Ensure that the software suppliers your organization utilizes have “defined product security incident response teams (PSIRT) and/or internal research teams dedicated to the identification, triage, and remediation of vulnerabilities across the supplier’s product/service”; and
Only purchase from software suppliers who “utilize a formal bug bounty program to incentivize the discovery and proactive remediation of vulnerabilities before adversaries are able to utilize them[.]”