NIST Delivers Two Critical Publications to Strengthen Software Supply Chain Security
According to President Joe Biden’s executive order called for on May 12, NIST, in consultation with other key federal agencies, was directed to solicit “input from the private sector, Federal Government, academia, and other relevant actors to identify existing or come up with fresh tools, standards, and best practices for compliance with the procedures, criteria, and standards.”
Additionally, NIST was directed to publish preliminary guidelines for strengthening software supply chain security within 180 days of the Order (November 8, 2021).
The guidance must contain standards, criteria, or procedures, including multi-factor authentication, employing automated tools, encryption for data, or similar processes that help check for known and potential security vulnerabilities and remediate them. All these shall be done regularly, or before product, update, or version release, ensuring the purchaser obtains a Software Bill of Materials (SBOM) for every product directly or through a publication on a public website. Software purchasers shall also be allowed to participate in a vulnerability disclosure program, including a reporting and disclosure process.
NIST Fulfills the First Assignment
NIST has recently accomplished its first mandate by publishing two of its assignments to improve the security of the software supply chain. The Presidential Executive Order (EO) on improving the Nation’s Cybersecurity (14028) charges multiple agencies with enhancing cybersecurity through a myriad of initiatives geared towards heightening the security and integrity of the software supply chain.
Last month, NIST defined critical software, laying the foundation for the publication of the guidance entailing security measures for the software supply chain. Of course, NIST consulted widely with the Cybersecurity & Infrastructure Security Agency (CISA) as well as the Office of Management and Budget (OMB) when developing the guidelines.
Additionally, NIST published guidelines recommending the bare minimum standards for vendors testing their software source codes. As required under the May EO, NIST consulted with the National Security Agency (NSA) to come up with the guidelines. Both deliverables were based on extensive public participation through workshops and calls for papers and were due by July 11, 2021.
NIST’s Responsibilities under the Executive Order
Under Section 4 of the 14028 EO, NIST’s responsibility was to seek input from government agencies, the private sector, academia, and other entities to identify existing or craft fresh standards, tools, best practices, and other guidelines to improve software supply chain security.
Therefore, the guidelines should include:
- Criteria for software security evaluation
- Criteria for establishing security practices for software suppliers and developers
- Methods or tools to demonstrate compliance with security best practices.
After successfully publishing the two guidelines, the next milestone for NIST is to publish preliminary guidelines based on current documents and stakeholder input to help enhance software supply chain security, with the timelines set on November 8, 2021. And by February 6, 2022, NIST, in consultation with various agencies, is directed to issue guidance to highlight best practices for strengthening software supply chain security. The guidance should encompass supply chain security criteria, procedures, and standards. Additionally, NIST is expected to publish extra guidelines by May 8, 2022, encompassing procedures for periodically reviewing and updating the security guidelines.
The executive order has also tasked NIST with responsibilities such as labeling programs related to software solutions and the Internet of Things (IoT) to educate consumers about the security level of their gadgets. The primary deadline for those efforts is set to be February 6, 2022. Over the coming weeks, NIST will announce its approach to executing these assignments. Like with other assignments highlighted in the executive order, NIST is charged with the role of soliciting ideas and information from relevant stakeholders to carry out these tasks.
NIST’s Definition of Critical Software
After consulting with relevant government agencies, hosting a virtual workshop, and soliciting position papers from the software community, NIST last month developed the critical software definition. According to the definition, EO-critical software refers to any software with one or more components (or has direct software dependencies) with at least one of the following attributes:
- Performs a function critical to trust
- Is designed to operate with elevated privilege or manages privileges
- Has privileged or direct access to computing or networking resources
- Is designed to manage access to operational technology or data
- Operates outside of standard trust boundaries with privileged access
NIST has reiterated that the definition applies to every software form, including standalone software, software integral to specific hardware components and devices, and cloud-based software deployed in, or purchased for, production systems and utilized for operational purposes.
Later EO’s implementation phases may also include other software categories such as:
- Cloud-based and hybrid software
- Software that controls access to data
- Software development tools like code repository systems, testing software, development tools, integration software, deployment software, and packaging software.
- Software components for operational technology (OT)
- Software components for boot-level firmware
Critical Software Categories
NIST has created a table that spells out specific categories of software utilized for security functions. They include software affecting network control, network protection, and endpoint security. The preliminary critical software categories include:
- Operating systems, container environments, and hypervisors
- Web browsers
- Credential, identity, and access management (ICAM)
- Network protection
- Endpoint security
- Network control
- Operational analysis and monitoring
- Network monitoring and configuration
- Remote scanning
- Backup/recovery and remote storage
- Configuration management and remote access
The Executive Order is a critical step for the Biden administration’s efforts to strengthen cybersecurity at the national government level. This includes standardizing cybersecurity policies and requirements among agencies, as well as strengthening cybersecurity information sharing and collaboration with government contractors.
All the agencies charged with rulemaking need to move with speed to meet near-term deadlines and accomplish the specific assignments to achieve the policy directives.
WPG Consulting is keeping tabs on the developments surrounding the presidential directive and will keep its customers updated on how the new policy changes will impact their businesses. We are a Managed Services Provider offering technical support and professional guidance for all areas of your IT systems. Our team of experienced and certified IT professionals specialize in Cloud Computing, IT Infrastructure Management, Cybersecurity, Software Development, and VOIP Services. Contact us today to schedule a consultation for your New York City and the tri-state area business.