News | Feb. 27, 2019

New Software Helps to Mitigate Supply Chain Management Risk

By Heidi Fosnaught, NSA/CSS Communications Officer



Securing the supply chain is a hot topic these days, especially for organizations working to ensure the integrity of their systems. As soon as a product leaves the manufacturing facility, it’s subject to vulnerabilities that could disrupt business and result in production delays, or even legal action. NSA Research and the Trusted Computing Group (TCG), a consortium of industry partners, are working to set the standard in Supply Chain Risk Management. 

After two years of collaboration, NSA Research and TCG, as well as Intel, have released software and standards for a supply chain validation process that can be used for any computing device. During manufacturing, (TCG-defined) certificates are created which capture attributes about the device. Those certificates are then delivered with the device in the Trusted Platform Module (TPM). The TPM securely stores that information about the device throughout the manufacturing process. This includes multi-vendor devices and multi-stage production. NSA’s open source Host Integrity at Runtime and Startup (HIRS) software uses that information inside the TPM to validate the source of the components. This validation process can highlight many possible types of risks, including malicious component swaps.

“The development of open source tools for Trusted Computing-based supply chain validation provides the U.S. Government with greater confidence in the security of our mission critical systems,” said Peg Mitchell, NSA Chief Information Security Officer. “The cryptographically verifiable certificates that bind devices and peripherals to their trusted platform manufacturer will help reduce supply chain threats. This technology will bolster the security posture for NSA, the Department of Defense, and for commercial entities that require high confidence in the integrity of their systems.” 

NSA Research and TCG are working to make this process a new standard similar to a digital background check. The digital certificates provide evidence similar to a birth certificate and history. The ability to run the HIRS software will provide authentication by verifying the hardware in the device and linking it to the manufacturer. Hardware manufacturers, technology vendors can download the HIRS software from the NSA Cyber GitHub site, to help them get started with the technology. Don’t miss your chance to see this technology live at RSA 2019 in San Francisco from March 4th to the 8th.

Looking for more information on cybersecurity? Check out NSA’s cybersecurity page