Demystifying NIST Guidelines on Enhancing Software Supply Chain Security
President Biden has made cybersecurity a top priority for his Administration at all levels of government. This is primarily motivated by the recent rampant cyberattacks on government agencies and their partners, including 3rd party vendors and suppliers. And on May 12, 2021, the President signed an Executive Order (EO) on improving the nation's cybersecurity posture.
The EO directs multiple agencies, including NIST, to enhance cybersecurity through various initiatives leaning towards the security and integrity of the software supply chain. Without hesitation, NIST locked heads with other like-minded agencies like the National Security Agency (NSA), the Office of Management and Budget (OMB), and the Cybersecurity & Infrastructure Security Agency (CISA) to publish guidance outlining:
- The security measures for critical software use
- The minimum standards for vendors' testing of their software source codes
Please keep scrolling to understand what these guidelines entail, plus what's required of your organization to implement them!
Security Measures for Critical Software Use
Part of the Executive Order was that NIST devises candid security measures for EO-critical software use. In that regard, the agency came up with five core objectives that suppliers and vendors should follow to enhance software supply chain security. These include:
Protect EO-Critical Software and EO-Critical Platforms from Illegal Access and Usage
To guarantee the optimal protection of EO-critical software and platforms from illegitimate access and usage, NIST requires the suppliers, vendors, and end-users to implement the following security measures:
- All users of EO-critical software or platforms should use a multi-factor authentication solution that's verifier impersonation-resistant.
- All services attempting to access EO-critical software and platforms should be uniquely identified and authenticated for legitimacy.
- The network-based administration for EO-critical software and platforms should follow privileged access management principles, such as the unique authentication of each administrator and proxying and logging of all administrative sessions.
- Utilize the appropriate boundary protection techniques to control the direct access to EO-critical software, EO-critical platforms, and associated data.
Shield the Integrity, Confidentiality, and Availability of Data Used by EO-Critical Software and EO-Critical Platforms
In the second objective, NIST must ensure that the suppliers, vendors, and users of EO-critical software or platforms meet the following security requirements:
- Create and maintain a data inventory for all EO-critical software and EO-critical platforms
- Implement a data backup solution, practice backup restoration, and be prepared to recover data used by EO-critical software and EO-critical platforms
- Develop a candid access control solution for all data and resources used by EO-critical software and EO-critical platforms
- Encrypt the sensitive data used by EO-critical software and EO-critical platforms, according to NIST's cryptographic standards to protect data at rest
- Encrypt sensitive data communications for EO-critical software and EO-critical platforms, according to NIST's cryptographic standards to protect data on transit
Identify and Maintain EO-Critical Software and EO-Critical Platforms to Protect them from Exploitation
NIST also has a responsibility to ensure that EO-critical software and EO-critical platforms users have the right solutions for continued maintenance and threat protection. As such, it requires all suppliers, vendors, and end-users to:
- Create and maintain a software inventory for all platforms running on EO-critical software and all software deployed to each platform.
- Implement patch management practices to help maintain EO-critical platforms and all software deployed to those platforms.
- Implement configuration management practices to help maintain EO-critical platforms and all software deployed to those platforms.
Quick Detection, Response to, and Recovery from Threats and Incidents Targeting EO-Critical Software and EO-Critical Platforms
As a NIST-compliant organization, you must have the capacity to quickly detect, respond to, and recover from cybersecurity attempts on your EO-critical software and EO-critical platforms. Thus, NIST requires you to:
- Record the necessary details about cybersecurity events by configuring logging involving EO-critical software and EO-critical platforms.
- Investing in the continuous security monitoring of all EO-critical software and EO-critical platforms.
- Investing in endpoint security protection on all EO-critical platforms to protect software deployed to them.
- Invest in cybersecurity education for all your incident response teams and security operations personnel, enlightening them on their roles and responsibilities.
Fortify the Understanding and Performance of Human Actions that Bolster the Security of EO-Critical Software and EO-Critical Platforms
In this capacity, NIST is tasked with ensuring that organizations implement the following security practices:
- Train all organization-based users on how to use EO-critical software and EO-critical platforms securely.
- Train all the organization-based admins on how to administer the EO-critical software and EO-critical platforms securely.
- Arrange for regular awareness activities to reinforce the training of all users and admins, measuring the exercise's effectiveness and noting the areas that require improvement.
Minimum Standards for Vendors' Testing of Their Software Source Code
The May 12 Presidential EO also called for NIST to establish guidelines recommending minimum standards for vendors or developers to test their software source codes. Below are some of the techniques plus their recommended minimums:
Threat Modeling
NIST recommends the threat modeling campaign as a technique for uncovering vital and potentially overlooked testing targets. The method abstracts the system, profiles all potential attackers (plus their motives and methods), and catalogs all possible threats. In essence, threat modeling can help point out design-level security issues and focus authentication.
Bug Fixing
NIST also recommends fixing critical yet uncovered bugs as soon as possible. But that's not all; software developers also need to make the necessary adjustments to prevent the resurgence of such bugs in the future.
Automated Testing
NIST requires developers to implement an automated software source code testing solution. This guarantees that the tests can often be repeated consistently, producing accurate results each time, thanks to eliminating the chance for human errors. In addition, you can integrate the automated testing solution into an existing workflow or issue tracking system.
Over to You: Trust On Time Tech with all Your Cybersecurity Needs and Software Supply Chain Consultation!
Suppose your organization relies on EO-critical software and/or EO-critical platforms to fulfill its day-to-day objectives. In that case, you have no choice but to comply with the above-discussed NIST guidelines. But let's face it; these are not your ordinary cybersecurity guidelines and recommendations that you can implement at a press of a few buttons. Satisfying all the requirements takes time, firsthand cybersecurity expertise, and attention to detail to check all the boxes, as required by NIST.
So instead of bothering your employees with NIST compliance, you can simply partner with a No.1 rated San Francisco cybersecurity firm, On Time Tech, and let your workforce focus on more value-adding activities. We can help identify all the NIST guidelines that apply to your organization, devise a strategy, and implement all the requirements in a timely and effective manner for full compliance.
So what are you waiting for? Contact our responsive experts today, and let us take care of all your cybersecurity and software supply chain security needs!