"ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers"

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) have released Securing the Software Supply Chain: Recommended Practices Guide for Suppliers. The product was made through the Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA that provides cybersecurity guidance to address high-priority threats facing the nation's critical infrastructure. In order to provide guidance to suppliers, ESF investigated the events leading up to the SolarWinds attack, which revealed that investment was required to develop a set of industry and government-evaluated best practices focusing on software suppliers' needs. Cyberattacks aim to disrupt, disable, destroy, or maliciously control a computing environment or infrastructure, as well as to destroy data integrity or steal controlled information. A malicious actor can exploit a single vulnerability in the software supply chain to cause severe harm to computing environments or infrastructure. Because software developers are required to securely develop and deliver code, verify third-party components, and harden the build environment, prevention is often considered their responsibility. However, the supplier is critical in ensuring software security and integrity. The software vendor is responsible for acting as a liaison between the customer and the software developer. Additional security features can be implemented through contractual agreements, software releases and updates, vulnerability notifications, and mitigations. This article continues to discuss the software supply chain guidance released for suppliers. 

NSA reports "ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers"