Secure Software: New Federal Guidance Seeks to Bolster Software Supply Chain Security

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI), recently published Securing Software Supply Chain – Recommended Practices for Developers. The guidance is the first of a three-part joint publication series created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA focused on providing software developers suggested practices to ensure a more secure software supply chain.

The new guidance fulfills elements of the 2021 White House Executive Order on Improving the Nation’s Cybersecurity (EO 14028) to establish new requirements to secure the federal government’s software supply chain, including developing systematic reviews, process improvements, and security standards for software developers and suppliers as well as federal customers and acquisitions personnel.

Building Security into the Software Development Lifecycle

The guidance breaks down and addresses the following areas of the secure software development lifecycle (Secure SDLC) from the developer perspective:

• Establishing Secure Product Criteria and Management: Development team managers and members adapt and customize the Secure SDLC process to identify the exact procedures and policies needed to ensure that secure development practices are implemented and that adherence artifacts are created. Recommended security mitigations include creating threat models, security test plans, release criteria, and product support and vulnerability handling policies and procedures for the software product. This element also includes training and assessing developers in following Secure SDLC processes.
• Developing Secure Code: This area addresses practices and security mitigation actions around Open Source code management, secure development, code integration, customer reported defect/vulnerability response, and external development extensions or customizations made by third parties.
• Verifying Third-Party Components: This area addresses practices and security mitigation actions around third-party binary components, component selection and integration, choosing known and trusted suppliers, component maintenance, and specifications for a Software Bill of Materials (SBOM).
• Hardening the Build Environment: This area addresses practices and security mitigation actions around protecting against build chain exploits and exploited signing servers within the software product development/delivery process.
• Delivering Code: This area addresses practices and security mitigation actions around final software package validation, potential tactics used to compromise software packages and updates, and compromises of the distribution system.

Multiple appendices cover various relevant topics, including a crosswalk with the NIST SP 800-218: Secure Software Development Framework (SSDF), with risk mitigations and use cases; a framework for Supply-Chain Levels for Software Artifacts (SLSA); notable dependencies to implementation; and relevant reference materials.

Implications

The federal focus on supply chain security, like much of the technology industry, has matured beyond addressing software vulnerabilities once they are discovered to dealing with “threat actors proactively inject[ing] malicious code into products that are then legitimately distributed downstream through the global supply chain,” as the latest guidance notes.

This latest joint-agency guidance complements other recent federal supply chain security guidance issued by the National Institute of Standards and Technology (NIST) to address elements of EO 14028. The NSA/CISA/ODNI and NIST efforts continue to offer support to – and ratchet up the stakes for – both software suppliers from which federal agencies procure and the software integrators upon which they depend.

If not already motivated to mature their secure software development practices, federal suppliers need only look to the high-profile cybersecurity incidents of recent years to boost their resolve. Failure will result in lost market opportunity and potentially damaging publicity and liabilities.