"CISA, NSA and Industry Outline Security Responsibilities of Software Suppliers"

According to guidance recently released by the National Security Agency (NSA) and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), software suppliers have unique responsibilities to maintain the efficient delivery of their products while having to consider security risks. The NSA noted that prevention is often considered the software developer's responsibility. The software developer is required to develop and deliver code securely, verify third-party components, and harden the build environment. However, the NSA points out that the supplier has a critical role in ensuring the security and integrity of software since the software vendor is responsible for communicating between the customer and the software developer. Through this relationship, additional security features are implemented through contractual agreements, software releases and updates, vulnerability notifications, and mitigations. The document created for software vendors is the first in a series of three. The Enduring Security Framework (ESF), which includes US government officials and industry representatives from the Information Technology (IT), communications, and defense sectors, released developer guidance in September and plans to address software consumers' security responsibilities next. Security best practices for software producers and users have already been articulated in the National Institute of Standards and Technology (NIST) Secure Software Development Framework, which NIST used to meet its obligations under Executive Order 14028 to provide guidance to federal agencies. In May 2021, President Joe Biden issued the order in response to the SolarWinds incident, in which customers of the ubiquitous IT management firm were compromised after installing what appeared to be a routine update. The hackers gained unauthorized access to SolarWinds' delivery mechanism and disguised their malware as new code. According to the document, this series will help foster communication between these three different roles and among cybersecurity professionals, which may facilitate increased resiliency and security in the software supply chain process. This article continues to discuss the new guidance that tries to distinguish between the security duties of software developers, suppliers, and consumers.

NextGov reports "CISA, NSA and Industry Outline Security Responsibilities of Software Suppliers"