Press Release | Nov. 17, 2022

ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Customers

FORT MEADE, Md. — The National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released Securing the Software Supply Chain for Customers today. The product was developed though the Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA that provides cybersecurity guidance to address high priority threats to the nation’s critical infrastructure.
 
In an effort to provide guidance to customers, ESF examined the events that led up to the SolarWinds attack. This examination made clear that investment was needed to create a set of industry- and government-evaluated best practices focused on the needs of the software customer.
 
Historically, threat actors targeted commonly known vulnerabilities that were left unpatched. While this tactic is still used to compromise unpatched customer systems, a new, less conspicuous method threatens software supply chains and undermines trust in systems patching themselves, something that has been critical to guarding against legacy attacks. Rather than waiting for public vulnerability disclosures, threat actors proactively inject malicious code into products that are then legitimately distributed downstream through the global software supply chain. Over the last few years, these next-gen software supply chain compromises have significantly increased for both open source and commercial software products.
 
Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. Infiltration of the supplier’s network with malicious code prior to the final software product being delivered can also cause the supply chain to be compromised.
 
If a software package injected with malicious code proliferates to multiple consumers, it is much more difficult to confine; it may cause an exponentially greater impact compared to when a single customer is the target of a cyberattack.
 
Because of this, the customer also holds a critical responsibility in ensuring the security and integrity of software; not only do they acquire the software, but they are also responsible for deploying it.  To avoid network exploitation, they should assess threats by conducting supply chain risk management (SCRM) activities and define risk profiles during the security requirements process. Developers and suppliers should also provide customers with guidance on how to verify the integrity of the software components.
 
Security is not just for the developers and suppliers, it’s for customers too. Until all stakeholders seek to mitigate concerns specific to their area of responsibility, the software supply chain cycle will be vulnerable and at risk for potential compromise.
 
In today’s release, software supply chain consumers will find helpful guidance from NSA and partners.
 
If you have questions or want to learn more about ESF, please contact NSAESF@cyber.nsa.gov or visit the ESF page.