An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Dec. 11, 2023

NSA and ESF Partners Release Recommended Practices for Managing Open Source Software and Software Bill of Materials

FORT MEADE, Md. – The National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA), and industry partners have released a cybersecurity technical report (CTR), “Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials,” which builds on the “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” paper released by the Office of Management and Budget (OMB).  
The guidance in this release supports development activities of a single developer as well as activities of large industry companies to maintain software supply chain security practices to mitigate risks. Developed by the Enduring Security Framework (ESF) Software Supply Chain Working Group, an NSA, ODNI, and CISA-led a public-private cross-sector group, to provide details on recommended practices as a basis for describing, assessing, and measuring security practices relative to the software lifecycle.
"Open source software is an essential and valuable component in many commercial and public-sector products and services, and collaboration on open source software often enables great cost-savings for participants. However, organizations that do not follow a consistent and secure-by-design management practice for the open source software they utilize are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident. For this reason, CISA is very pleased to have co-produced this guide with NSA, ODNI, and industry partners, which can be used by organizations of all sizes to improve the safety and security of their open source software management practices," Aeva Black, CISA Open Source Software Security Lead.
Software incorporated and/or utilized through open source may have embedded issues. It is imperative that we pay close attention to how these modules are bundled with the software at release. This in turn increases the potential for supply chains to be weaponized by national state adversaries who can access software via several means including, but not limited to: exploitation of design flaws, incorporation of vulnerable third-party components into a software product, infiltration of the supplier's network with malicious code prior to the final delivery of the product, and injection of malware within the software deployed in the customer environment.
"MongoDB is proud to have contributed to the Enduring Security Framework as part of the cross-sector working group dedicated to mitigating threats to critical infrastructure security. The latest "Managing OSS and SBOM Guide" will help with describing, assessing, and measuring security practices related to the software development life cycle, a cause that is very important to MongoDB and our customers. The focus on enhancing security practices throughout the software development life cycle underscores our commitment as a vendor to uphold software integrity and security, offering best practices and standards that aid consumers and vendors in these crucial responsibilities," Lena Smart, Chief Information Security Officer, MongoDB.
This report provides guidance in line with industry best practices and principles, including managing open source software and software bills of materials (SBOM) to maintain and provide awareness about the security of software. Specifically, the report provides more details on Open Source Software (OSS) adoption and the things to consider when evaluating and deploying an open source component into an existing product development environment include: its composition; process and procedures used when adopting open source software; and management, tracking and distribution of approved software components using an SBOM.
Read the full report now.
Read the related releases:

Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations