"ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Customers"

"Securing the Software Supply Chain for Customers" guidance has been published by the National Security Agency (NSA) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). The Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA, which provides cybersecurity guidance to address high-priority threats to the nation's critical infrastructure, was used to develop the product. ESF analyzed the events leading up to the SolarWinds attack in order to provide guidance to customers. This study revealed that significant investment was required to develop a set of industry- and government-evaluated best practices centered on the needs of the software customer. Historically, threat actors targeted well-known vulnerabilities that went unpatched. Although this tactic is still used to compromise unpatched customer systems, a new, less visible method jeopardizes software supply chains and undermines trust in systems patching themselves, which has been critical in protecting against legacy attacks. Instead of waiting for publicly disclosed vulnerabilities, threat actors inject malicious code into products legitimately distributed downstream through the global software supply chain. These next-generation software supply chain compromises have increased significantly in recent years for both open-source and commercial software products. When a maliciously injected software package spreads to multiple consumers, it is much more difficult to contain. Therefore, the customer bears a critical role in ensuring the security and integrity of software. They not only acquire the software, but they are also responsible for its deployment. In order to avoid network exploitation, they should conduct Supply Chain Risk Management (SCRM) activities to assess threats and define risk profiles during the security requirements process. This article continues to discuss the release of software supply chain guidance for customers.

NSA reports "ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Customers"