In light of recent supply chain intrusions, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Agency (CISA) and National Institute for Standards and Technology (NIST) have released new guidance on defending supply chain software, using the NIST framework to identify and mitigate risks.
In addition to information about supply chain risks and common attack techniques, the resource helps guide users through identifying, assessing, and mitigating supply chain risks using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF).
“Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain. This is because organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps,” the guidance says.
“Due to the difficulty of mitigating consequences after a software supply chain attack occurs, network defenders should observe industry best practices before an attack has occurred,” CISA and NIST recommend. “Implementing best practices will bolster an organization’s ability to prevent, mitigate, and respond to such attacks.”
The resource also has some simple steps for establishing a risk management program, including identifying key mission processes, keeping a running inventory of your organization’s software licenses, understanding how your software supports or relates to key processes, and understanding how your software is supported by its suppliers.
“The consequences of a software supply chain attack can be severe. First, threat actors use the compromised software vendor to gain privileged and persistent access to a victim network. By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access,” the resource warns.
The guidance recommends not only implementing C-SCRM but creating a formal plan and integrating the program organization-wide. Knowing critical components and their suppliers, understanding the organization’s supply chain, and planning for the full life cycle are other tips the guidance gives for guarding against supply chain intrusions.