The National Security Agency and the Cybersecurity and Infrastructure Agency’s latest guidance offers software developers and suppliers a set of recommendations on how to securely source and store open source software, as open source tech use has skyrocketed in the last few years
The new document from the Enduring Security Framework (ESF) Software Supply Chain Working Group focuses on open source software adoption and things to consider when introducing an open source component to the existing environment. The guidance also covers best practices for Software Bill of Materials (SBOMs) management.
Titled ‘Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials,’ the guidance expands on a June 2023 memo from the Office of Management and Budget, which directed agencies to begin collecting attestations for critical software and clarified that agencies only have to collect attestations from the producer of the software end product. The document also builds on the previously released series of recommended practices guides for securing the software supply chain.
“This guidance may be used to describe, assess and measure security practices relative to the software lifecycle. Additionally, the suggested practices listed herein may be applied across a software supply chain’s acquisition, deployment and operational phases,” the report stated.
The document delves into open source software management; creating and maintaining a company internal secure open-source software repository; open-source software maintenance, support and crisis management; code signing and secure software delivery; and SBOM creation, validation and artifacts.
The guidance also highlights seven areas of improvement related to software development and open-source software, including open-source selection criteria, risk assessment, licensing, export control, maintenance, vulnerability response and secure software and SBOM delivery.
Given the complexity of securing the software supply chain, the document will continue to evolve. The working group urges suppliers and developers to track CISA’s website for SBOM updates and clarifications. Additionally, CISA facilitates vulnerability exploitability exchange (VEX) discussions with the SBOM community and has information and resources on defining VEX minimum elements, use cases, and status justifications.
“Understanding the provenance of SBOMs are clearly where rubber hits the road, however organizations need the capability to both consume and proactively use those SBOMs. If they don’t, then SBOMs merely become shelfware until there’s an incident or a known vulnerability. SBOMs are a critical piece of supply chain risk management,” Jon Boyens, the deputy chief of the Computer Security Division at the National Institute of Standards and Technology, told Federal News Network in an interview in October.
“But they’re not a silver bullet, and they require an organization to have a broader and deeper vulnerability management program established in order to really reap the benefits of SBOMs,” he added.
The ESF’s guidance on securing the software supply chain from last year identified SBOMs as a critical to the software acquisition process and recommended that agencies use SBOMs during the evaluation phase of an acquisition.
CISA also facilitates workstreams led by the National Telecommunications and Information Administration on SBOMs-related topics, including cloud and online applications, on-ramps and adoption, sharing and exchanging and tooling and implementation.
Recent high-profile software supply chain incidents, including SolarWinds and Log4J, have promoted organizations to address weaknesses within the software supply chain. President Joe Biden’s cybersecurity executive order released in 2021 established new requirements for securing the federal government’s software supply chain, signaling the beginning of the administration’s commitment to a more secure software supply chain. Earlier this year, the White House released the National Cybersecurity Strategy, which called for the shift of the burden for cybersecurity to vendors and for software providers to introduce more secure software development practices.
The ESF Software Supply Chain Working Group, led by the NSA, Office of the Director of National Intelligence (ODNI), CISA and industry partners is just one of the government-wide efforts to address the need for software supply chain security guidance.