CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

4 ways to improve software supply chain security

supply-chain-1170x658freepik.jpg
February 11, 2022

NIST has just published its Software Supply Chain Security Guidelines with the hopes of improving the nation’s cybersecurity. 


The following four recommendations are intended to assist federal agencies and software producers in communicating clearly with each other regarding secure software development artifacts, attestation and conformity. 


  1. Use the SSDF’s terminology and structure to organize secure software development requirements communications. This enables all software producers to use the same lexicon when attesting to conformity for federal agencies. Software producers can map their secure development methodology to the SSDF’s secure software development practices or associated informative references.
  2. Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle. With the highly dynamic nature of software today, attesting to how things were and are done on an ongoing basis (processes and procedures) is typically more valuable than attesting to how things were done for a specific software release generated by one instance of those processes. This is especially true for post-release practices such as vulnerability disclosure and response, where processes might not yet have been performed for the latest release.
  3. Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required. 
  4. When requesting artifacts of conformance, request high-level artifacts. The software producer should be able to trace the practices summarized in the high-level artifacts to the corresponding low-level artifacts that are generated by those practices.


These minimum recommendations apply to attestation for all software within the scope of this guidance procured by federal agencies, and they should be part of each agency’s processes, NIST says. The recommendations are not intended to replace more stringent requirements for secure software development that federal agencies may have.


These minimum practices will not be sufficient in some cases. For example, an agency may need greater visibility into the practices for a particular product to better understand how the product would affect the agency’s cybersecurity risk.

KEYWORDS: cyber security information security risk management software supply chain

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Related Articles

Related Products

See More ProductsSee More Products

Events

View AllSubmit An Event
  • November 17, 2025

    SECURITY 500 Conference

    This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.
View AllSubmit An Event

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!