US cyber departments issue software supply chain security guidance


Three US cyber-focused departments have this week released the last part of a three-part joint guidance of securing the software supply chain.

According to Security Week, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence released the guidance.

The guidance was created by the Enduring Security Framework (ESF), which is a cross-sector working group focused on mitigating risks to critical infrastructure and national security, and provides recommendations on software supply chain security best practices to developers, suppliers, and organizations.

The joint guidance details recommended practices customers should apply when acquiring, deploying, and using software, providing examples of attack scenarios and mitigations.

In addition, the three agencies recommend paying attention to the organisation’s requirements, including security and supply chain risk management activities and performing product evaluation

Security Week said this should mitigate risks associated with acquiring products that do not meet requirements or which are plagued by vulnerabilities or have been tampered with, as well as contracting suppliers under foreign control or which have poor security hygiene.

Customers are also advised to thoroughly examine products upon receiving them, to perform functional testing and validate the product from a security perspective, establish a configuration control board (CCB) in charge of product lifecycle, ensure that the product integrates with the existing environment, and monitor updates.

Businesses are also advised to take proper care of products that have reached end-of-life (EoL) or which are being decommissioned, and to ensure that an effective training program is implemented for new products.

Software customers are also advised to pay attention to how a product is operated, to ensure that vulnerabilities and functionality changes are identified, that updates are applied in a timely manner.

A top cyber official at the White House has recently called for a reform of NATO to be able to deal better with cyber crises.

Copyright © 2022 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research


The following investor(s) were tagged in this article.