NIST updates software supply chain security guidance

February 14, 2022

The National Institute of Standards and Technology (NIST) released updated guidance on securing the software supply chain in response to the Biden administration's executive order on improving national cybersecurity.

Among NIST's recommended minimum security measures for U.S. enterprises are standardizing the language regarding software supply chain reporting and requiring attestation to security practices within software use and development.

Cybersecurity leaders will likely need to enact a cultural shift in their organizational risk management strategies in order to adopt these guidelines, according to Dr. Chenxi Wang, Managing General Partner at Rain Capital and Technical Advisory Board Member at Secure Code Warrior.

"The newest draft of 'Engineering Trustworthy Secure Systems' specifically outlines the importance of proactive risk management, including mitigation of vulnerabilities within systems and software. This requires software engineers to pay attention to and upskill in secure design principles, which should be a layer of foundational learning in their security training," said Dr. Wang.

"Security leaders can set an example for the organization by prioritizing code-level quality and safety, setting developers up for success through security program innovation. Being supported in building hyper-relevant skills helps them understand the importance of security best practices and their power to make a difference."

With the focus on development-level cybersecurity, Chief Information Security Officers (CISOs) may shift and grow their relationships with information technology (IT) and software development teams to prioritize security from the beginning of the software lifecycle.

"I think we are reaching a point where CISOs are generally becoming more interested in the security potential of development teams and what they are doing to protect the organization from devastating data breaches," said Dr. Wang.

"In that sense, I think there will be some new empathy for software developers' plight and their competing priorities, which will, in turn, assist in CISOs having a better understanding of right-fit tools, training and processes to help them achieve security at speed."

Madeline Lauver joined Security magazine in 2021 as its Assistant Editor. She covers news affecting enterprise security leaders, including physical security, cybersecurity, leadership and management, risk and resilience and more. Within her role at Security, Lauver focuses on news articles, Web Exclusives, features, and several departments for Security’s monthly digital edition, as well as managing social media and multimedia content. Lauver graduated in 2019 with a BA in English, German and Media Studies from Kalamazoo College.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

NIST updates software supply chain security guidance

Recent Articles by Madeline Lauver

CISOs list top cyber threats to enterprises in 2022

Pro-Russia cyberattacks target Italian Senate, Eurovision

Lessons learned from a career in healthcare security

Top 5 cyber threats of Q1 2022

How AI helps prevent workplace harassment

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

NIST updates software supply chain security guidance

Recent Articles by Madeline Lauver

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.