New Software Supply Chain Security Guidance – Not Just for Engineers!

August 5, 2022
IT Security, News, Technology
4 min read

Unless you’ve somehow insulated yourself from the news entirely since the early COVID days, you’re probably aware that the world is suffering from a bit of a supply chain issue. That supply chain issue is caused by a number of things: COVID, the Russian invasion of Ukraine, fewer number of workers in the workforce, and more.

But another cause, something a bit more in our wheelhouse, is cybersecurity. Specifically, the number of cyberattacks on the supply chain continues to rise.

To counter these offenses, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) published updated guidance for reducing cybersecurity risks in supply chains in May 2022.

Titled “Software Supply Chain Security Guidance,” the update is NIST’s response to directives issued by an executive order by President Joe Biden, designed to improve cybersecurity in the United States. This NIST guidance is assumed to target federal agencies. However, as NIST points out, these guidelines can apply to all kinds of organizations.

The document, which is a whopping 326 pages, is pretty exhaustive. But don’t worry. As the supply chain remains a security risk, we’ve boiled down some key points for you.

Consider Specific Components of Vulnerabilities

NIST suggests an atomized view of vulnerabilities. They call for considering not only products but each specific component. Don’t forget “the journey those components took to reach their destination,” either.  Supply chains are more at risk than ever. Companies manufacture products all over the world, and those products are complex.

Different manufacturers from different places may assemble individual components from parts coming from around the world. Each of the dozens, hundreds or thousands of sources for the parts that go into complex machinery, computers and other devices may themselves fall victim to attacks aimed at breathing supply chains. All of this is true of software as well as hardware.

Consider Security and Logistic Controls

These guidelines include an extensive list of security controls, which are either safeguards or countermeasures, located in Appendix A. NIST sorts them into families, such as “access control,” “incident response,” “risk assessment” and many others. This is a section that should not be overlooked, as this section received the greatest amount of bolstering since previous iterations.

Additionally, you can’t follow the NIST guidelines without automation. In fact, businesses need to automate their risk management workflow in today’s complex supply chain world.

Zero Trust Matters

The NIST guidance calls for Zero Trust in supply chains. Under the “access control” family, the guidelines state that “organizations must limit information system access to authorized users, processes acting on behalf of authorized users, devices (including other information systems), and the types of transactions and functions that authorized users are permitted to exercise.”

The “access enforcement” section also points out that “information systems and the supply chain have appropriate access enforcement mechanisms in place.” This all points to Zero Trust.

Prioritize the Right Risk

Prioritization is key to supply chain risk management. The guidance goes into some detail on risk, how to develop a formal understanding of where the greatest risk lies in the supply chain, and how to act on those biggest risks. It also offers advice on viewing risk on three levels: the enterprise, business process, and operational levels.

Customize Guidelines

The NIST guidelines are not a one-size-fits-all solution. Rather, the guidelines are compiled and communicated so that the principles and practices communicated can fit nearly any organization. The document says, “Enterprises should identify, adopt, and tailor the practices described in this document to best suit their unique strategic, operational, and risk context.”

Something for Everyone

It’s tempting to believe that these kinds of guidelines are unique or niche, and therefore are only specific and helpful to a niche audience. However, it’s not just developers who should read and consider these guidelines. Instead, NIST points out that it has a very broad target audience.

The new guidance is relevant to managers, engineers, business owners, developers, project managers, procurement managers, and anyone with procurement responsibilities. NIST also designed it for all logistics leaders, system integrators, property managers, continuity planners, anyone involved in privacy, component producers and, of course, everyone involved in cybersecurity.

With endless time, internal personnel, and resources, you could follow NIST’s guidance to the letter with relative ease.

However, in the real world, the document provides an, at best, aspirational catalog of risks and remedies for securing supply chains. The guidance can provide a practical roadmap by combining risk prioritization with automation, security posturing such as Zero Trust, and other tools.

Luckily, this doesn’t need to be left to your organization to figure out all alone. There are security experts here at Tigunia that can lend a hand. To learn more, contact Tigunia today.