The wait is over for best practices to protect software consumers from software supply chain risk

On May 5, 2022 the National Institute of Standards and Technology (NIST) released the clearest and most effective guidance to implement best practice to protect the software supply chain and help consumers detect and manage software supply chain risk. The newly release publication is called  “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”, SP 800-161r1.  Here are some key messages from NIST on the new release.

“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens, one of the publication’s authors

“If your agency or organization hasn’t started on [C-SCRM], this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.” —NIST's Jon Boyens

NIST Special Publication 800-161 Revision 1 provides guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of an organization. It forms part of NIST’s response to Executive Order 14028: Improving the Nation’s Cybersecurity, specifically Sections 4(c) and (d), which concern enhancing the security of the software supply chain.  

The publication now offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination. 

The primary audience for the revised publication is acquirers and end users of products, software and services. The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it.

“It has to do with trust and confidence,” said NIST’s Angela Smith, an information security specialist and another of the publication’s authors. “Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response.”

Organizations seeking to implement C-SCRM in accordance with Executive Order 14028 should visit NIST's dedicated web-based portal

This version of the C-SCRM standard significantly improves on practices for vulnerability reporting by leveraging IEC standard 29147:2018 for vulnerability disclosure reporting (VDR) "Integrate SBOMs, vulnerability databases, and reporting mechanisms to ensure that federal departments and agencies rapidly receive notification of recently released vulnerabilities."

RA-5 VULNERABILITY MONITORING AND SCANNING

Supplemental C-SCRM Guidance: Vulnerability monitoring should cover suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers in the enterprise’s supply chain. This includes employing data collection tools to maintain a continuous state of awareness about potential vulnerability to suppliers, as well as the information systems, system components, and raw inputs that they provide through the cybersecurity supply chain. Vulnerability monitoring activities should take place at all three levels of the enterprise. Scoping vulnerability monitoring activities requires enterprises to consider suppliers as well as their sub-suppliers.

Enterprises, where applicable and appropriate, may consider providing customers with a Vulnerability Disclosure Report (VDR) to demonstrate proper and complete vulnerability assessments for components listed in SBOMs. The VDR should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component or product. The VDR should also contain information on plans to address the CVE. Enterprises should consider publishing the VDR within a secure portal available to customers and signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature and associated VDR. Enterprises should also consider establishing a separate notification channel for customers in cases where vulnerabilities arise that are not disclosed in the VDR. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.

This release of SP 800-161r1 contains new and improved guidelines that are designed to help software consumers identify, protect, detect, respond and recover from sophisticated cybersecurity threats, tactics, techniques and procedures (TTP) used by hackers today.

The SBOM "preachers", i.e. Allan Friedman, Tom Alrich and Duncan Sparrell have completed their missionary work and it's now time for these preachers to pass the baton over to the SBOM and VDR implementers, i.e. the C-SCRM vendors to take us across the finish line by rolling out SBOM and VDR solutions for Executive Order 14028. Many thanks to Allan, Tom and Duncan for completing the first leg of the SBOM race, now it's time to encourage adoption and help the implementers finish the SBOM race to complete the journey!