Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Software Security in Supply Chains
Introduction
The Executive Order (EO) on Improving the Nation’s Cybersecurity released on May 12, 2021 acknowledges the increasing number of software security risks throughout the supply chain. Federal departments and agencies become exposed to cybersecurity risks through the software and services that they acquire, deploy, use, and manage from their supply chain (which includes open source software components). Acquired software may contain known and unknown vulnerabilities as a result of the product architecture and development life cycle.
Mitigating these types of risks throughout the supply chain is a cornerstone goal of the EO, with Sections 4(b), 4(c), and 4(d) focusing exclusively on the critical sub-discipline of Cybersecurity Supply Chain Risk Management (C-SCRM) from the lens of federal acquirers:
EO Section 4 Text
(b) Within 30 days of the date of this order, the Secretary of Commerce acting through the Director of NIST shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria in subsection (e) of this section. The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.
Relevant directives to this guidance:
(c) Within 180 days of the date of this order, the Director of NIST shall publish preliminary guidelines, based on the consultations described in subsection (b) of this section and drawing on existing documents as practicable, for enhancing software supply chain security and meeting the requirements of this section.
(d) Within 360 days of the date of this order, the Director of NIST shall publish additional guidelines that include procedures for periodic review and updating of the guidelines described in subsection (c) of this section.
This guidance is NIST’s response to the directives in Section 4(c) and 4(d) of EO 14028.
Existing industry standards, tools, and recommended[1] practices are sourced from:
- NIST’s foundational C-SCRM guidance;
- Position papers submitted in advance of NIST’s June 2021 Enhancing Software Supply Chain Security Workshop, federal software supply chain security working groups, and an array of public and private industry partnerships; and
- NIST’s EO webpage.
To support the prioritization and practical implementation of evolving software supply chain security recommendations, guidance is presented in the Foundational, Sustaining, and Enhancing practices paradigm in SP 800-161r1.
Existing Standards, Tools, and Recommended Practices
Existing industry standards, tools, and recommended practices are sourced from SP 800-161r1upd1, and other NIST guidance published in response to EO 14028. Those initiatives, as outlined by NIST on its EO 14028 guidance webpage, encompass:
- Critical Software Definition
- Security Measures for “EO-Critical Software” Use
- Software Supply Chain Security Guidance
- Recommended Minimum Standards for Vendor or Developer Verification of Software
Guidance in this Appendix does not introduce net new controls but rather frames existing controls for acquirers within the context of EO 14028.
Key Takeaways
- Using this guidance. Federal agency acquirers should utilize this guidance to contextualize their application of any existing SP 800-161r1 controls upon their suppliers and — where feasible — adopt new software supply chain security recommendations that previously fell outside of the explicit scope of SP 800-161r1 in the context of EO 14028.
- Existing standards, tools, and recommended practices. This guidance provides direction to federal agency acquirers on how to augment existing SP 800-161r1 controls in accordance with EO 14028. It focuses on 1) EO-critical software, 2) software cybersecurity for producers and users, 3) software verification, and 4) cybersecurity labeling for Internet of Things (IoT) devices and software. This publication complements related workstreams by NIST, NTIA, NSA, DOD, CISA, and OMB.
- Evolving standards, tools, and recommended practices. This publication offers recommended software supply chain concepts and capabilities that include a Software Bill of Materials (SBOM), enhanced vendor risk assessments, open-source software controls, and vulnerability management practices. Organizations should prioritize, tailor, and implement these practices and capabilities by applying the Foundational, Sustaining, and Enhancing practices paradigm of SP 800-161r1.
--------------
[1] NIST interprets the intent of “best” practices within the context of the EO as “recommended” practices to align with its typical mandate as an authoritative body that provides recommendations to both public and private organizations.
Content:
- Guidance, Purpose, Scope, and Audience
- EO-Critical Software and Security Measures for EO-Critical Software
- Software Cybersecurity for Producers and Users
- Software Verification
- Evolving Standards, Tools, and Recommended Practices
- Additional Existing Industry Standards, Tools, and Recommended Practices
- Frequently Asked Questions (FAQs)