NIST updates software supply chain security guidance

The National Institute of Standards and Technology (NIST) released updated guidance on securing the software supply chain in response to the Biden administration's executive order on improving national cybersecurity.

Among NIST's recommended minimum security measures for U.S. enterprises are standardizing the language regarding software supply chain reporting and requiring attestation to security practices within software use and development.

Cybersecurity leaders will likely need to enact a cultural shift in their organizational risk management strategies in order to adopt these guidelines, according to Dr. Chenxi Wang, Managing General Partner at Rain Capital and Technical Advisory Board Member at Secure Code Warrior.

"The newest draft of 'Engineering Trustworthy Secure Systems' specifically outlines the importance of proactive risk management, including mitigation of vulnerabilities within systems and software. This requires software engineers to pay attention to and upskill in secure design principles, which should be a layer of foundational learning in their security training," said Dr. Wang.

"Security leaders can set an example for the organization by prioritizing code-level quality and safety, setting developers up for success through security program innovation. Being supported in building hyper-relevant skills helps them understand the importance of security best practices and their power to make a difference."

With the focus on development-level cybersecurity, Chief Information Security Officers (CISOs) may shift and grow their relationships with information technology (IT) and software development teams to prioritize security from the beginning of the software lifecycle.

"I think we are reaching a point where CISOs are generally becoming more interested in the security potential of development teams and what they are doing to protect the organization from devastating data breaches," said Dr. Wang.

"In that sense, I think there will be some new empathy for software developers' plight and their competing priorities, which will, in turn, assist in CISOs having a better understanding of right-fit tools, training and processes to help them achieve security at speed."

Madeline Lauver joined Security magazine in 2021 as its Assistant Editor. She covers news affecting enterprise security leaders, including physical security, cybersecurity, leadership and management, risk and resilience and more. Within her role at Security, Lauver focuses on news articles, Web Exclusives, features, and several departments for Security’s monthly digital edition, as well as managing social media and multimedia content. Lauver graduated in 2019 with a BA in English, German and Media Studies from Kalamazoo College.

Situational awareness should be at the forefront of your security program. It can mean the difference between life and death in a workplace emergency.

Security’s digital transformation is now entering stage 5. Complex security technologies are connected to HR systems, global security operations centers, and other building technologies in a world where employees now work in two places: home and the corporate office.