The National Institute of Standards and Technology (NIST) has published five directives identifying practices that enhance security of the software supply chain.
The directives published by NIST respond to a portion of the agency’s assignments set forth by President Biden’s executive order (EO) on Improving the Nation’s Cybersecurity, issued in May 2021. The EO, among other items, tasked NIST by Feb. 6 “to issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.”
New Directives
The Secure Software Development Framework (SSDF) serves as the basis for software development evaluation which will help inform pilot projects on creating consumer labels for software and other connected devices. The practices laid out in the framework will help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed potential risks, and address the root causes of vulnerabilities to prevent future recurrences.
NIST’s Software Supply Chain Security Guidance sets forth several recommendations for Federal agency staff who have software procurement-related responsibilities:
- Use SSDF terminology and structure to organize communications about secure software development requirements;
- Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle;
- Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required; and
- When requesting artifacts of conformance, ensure they are is high-level artifacts.
The EO also directed NIST to initiate labeling programs related to the Internet of Things (IoT) and software to inform consumers about the security of their products.
The Recommended Criteria for Cybersecurity Labeling of Consumer IoT Products details recommendations for consumer IoT product label criteria, considerations for label design and consumer education, and conformity assessment considerations. The Recommended Criteria for Cybersecurity Labeling of Consumer Software seeks to fulfill this directive by making recommendations in the following areas: the role of a scheme owner in a labeling program; baseline technical criteria that can inform a label; labeling presentation criteria; and conformity assessment criteria.
Additionally, NIST’s Consumer Cybersecurity Labeling Pilots will consist of contributions from stakeholders regarding current or potential future labeling efforts for consumer IoT products and software, and how those efforts align with the NIST recommendations. The agency specified that it’s not designing a particular label or establishing a labeling program.
“Rather, NIST’s recommendations set out desired outcomes, allowing and enabling the marketplace of providers and consumers to make informed choices,” the agency stated.
