NIST Delivers Two Key Publications to Enhance Software Supply Chain Security Called for by Executive Order
On May 12, 2021, the President signed an Executive Order (EO), calling for various agencies, including NIST, to enhance software supply chain security. The EO directs NIST and other relevant State agencies to implement multiple initiatives focused on improving the integrity and security of the software supply chain.
For instance, as per the EO, NIST must enhance existing or devise new strategies, best practices, tools, and standards for enhancing software supply chain security in academic institutions, private sectors, government agencies, etc. The idea is to influence the masses to become more vigilant in identifying, assessing, and mitigating the rampant software supply chain risks.
So we prepared this in-depth resource to shed more light on various NIST guidelines and recommendations, including:
- Security measures for critical software use
- Minimum standards for vendors’ testing of their software source code
Security Measures for Critical Software Use
One of the Executive Order’s directives was that NIST develops rock-solid security measures for EO-critical software use. So in that capacity, NIST had five core objectives for enforcing various required software security measures. Here’s a detailed breakdown:
Protect EO-Critical Software and Platforms from Illegal Access and Usage
NIST has established various security measures applicable to all software designated as EO-critical as well as all admins, users, platforms, or networks that run EO-critical software. These measures include:
Use of Multi-Factor Authentication, MFA
All administrators and users of EO-critical software and platforms must acquire an MFA solution that’s verifier impersonation-resistant. This protocol ensures that when a user or an admin attempts to access EO-critical software or platform over a network, everything and everyone is legitimate. Thus, there’s no chance for ill-intended users to steal credentials through phishing attacks. Plus, a hacker can’t use stolen authentication details to impersonate a legitimate admin or user.
Unique Identification and Authentication of each Service
Any service attempting to access the EO-critical software or platform must be carefully assessed and verified to flag any malicious characters. In a Special Publication 800-53, NIST establishes clear-cut security and privacy for information systems that organizations using EO-critical software are required to follow fully.
Use of Boundary Protection Techniques
NIST recommends using various techniques such as proxies, software-defined perimeters, and network segmentation to limit the direct access to EO-critical software, platforms, and their associated data.
Protect the Confidentiality, Integrity, and Availability of EO-Critical Data
Here, NIST has an objective to ensure that organizations using EO-critical software and platforms fulfill the following security measures:
- Establish and uphold a data inventory for all EO-critical software and platforms.
- Implement an unbeatable access control strategy for all data and resources used by EO-critical software and platforms.
- Implement a data encryption solution to protect all sensitive (resting) data used by EO-critical software and platforms per NIST’s cryptographic standards.
- Implement mutual authentication and encryption strategies for all your EO-critical software and platforms to protect data (in transit)
- Back up data used by EO-critical software and platforms, test the backups, and be prepared to recover the data should an incident occur.
Identify and Maintain EO-Critical Platform to Protect Software Deployed on such Platforms from Exploitation
The third objective is all about NIST ensuring that all EO-critical platforms running both EO and non-EO-critical software are optimally safe from exploitation. Therefore, the agency should ensure that EO-critical organizations:
- Establish and uphold a software inventory for all EO and non-EO-critical software and platforms.
- Leverage patch management practices to maintain EO-critical platforms and all software running on those platforms.
- Leverage configuration management practices to maintain EO-critical platforms and all software running on those platforms
Swiftly Detect, Mitigate, and Recover from Cyber Threats and Incidents
NIST also has to ascertain that EO-critical organizations can unmask, respond to, and recover from software supply chain incidents. Hence, it requires organizations to:
- Configure logging to record all sensitive details about security events related to EO-critical platforms and software.
- Implement a 24/7 security monitoring solution for all the EO-critical platforms and software.
- Implement endpoint security protection.
- Employ network security protection.
- Train the incident response teams and security operations personnel on their duties and responsibilities.
Train all EO-Critical Software Users Based on Their Duties and Responsibilities
NIST’s final objective in regulating and enforcing safe and secure usage of EO-critical software is to ensure that organizations train their employees on how to use these software and platforms securely. Thus, it requires companies to:
- Train all their EO-critical software and platforms admins on how to administer their duties and responsibilities securely.
- Arrange for frequent awareness activities to supplement the training given to admins and end-users and measure the effectiveness of such exercises to identify areas that need improvement.
Minimum Standards for Vendors’ Testing of Their Software Source Code
The Executive Order (EO) 14028 also required NIST to recommend minimum standards that vendors and developers should use to verify or test their software source codes. Here’s an in-depth understanding of some of these guidelines:
Threat Modeling
Threat modeling helps uncover potential vulnerabilities and targets by tracking the profiles of suspicious/ill-intended individuals as well as their tactics and goals. The strategy can expose design-level security challenges and help put more focus on testing.
Automated Testing
Organizations should implement an automated security testing/verification solution to ensure that EO-critical software and platforms are consistently tested for cybersecurity issues. In addition, automating the process ensures that you get accurate results and save employees from doing redundant work.
Code-Based Analysis
This involves the use of code scanners to unearth top bugs. NIST recommends that businesses acquire static analysis tools to check code for various vulnerabilities and comply with organization-specific coding standards. And if your organization uses multi-threaded or parallel processing software, NIST recommends getting a scanner that can detect race conditions.
Bug Fixing
NIST also requires organizations to fix critical uncovered bugs as soon as possible and make all the necessary adjustments, preventing such bugs from re-emerging in the future or catch them early enough in the development stage.
Conclusion: Orion Networks is Your Go-To Cybersecurity and Supply Chain Consultant!
Let’s face it; implementing all these NIST guidelines and recommendations in your organization isn’t child’s play. It takes time, expertise, and resources because, even after completing the implementation, you need to constantly monitor and manage your systems for new security issues. Thankfully, you can partner with reliable and experienced cybersecurity and supply chain expert like Orion Networks to guarantee confident and timely NIST compliance while releasing your employees to focus on more business-centric responsibilities.
And the best part about partnering with us? You save 10% immediately and get a whole month of FREE service! So don’t let this opportunity pass; contact Orion Networks for all your cybersecurity needs in the Washington DC metro area.