CISA, NSA, ODNI Announce New ESF Guidance for Software Customers  

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) partnered with industry and government experts under the Enduring Security Framework (ESF) to release “Securing the Software Supply Chain Recommended Practices Guide for Customers” and an accompanying fact sheet.

In an effort to provide guidance to customers, ESF examined the events that led up to the SolarWinds attack. This examination made clear that investment was needed to create a set of industry- and government-evaluated best practices focused on the needs of the software customer.

Historically, threat actors targeted commonly known vulnerabilities that were left unpatched. While this tactic is still used to compromise unpatched customer systems, a new, less conspicuous method threatens software supply chains and undermines trust in systems patching themselves, something that has been critical to guarding against legacy attacks. Rather than waiting for public vulnerability disclosures, threat actors proactively inject malicious code into products that are then legitimately distributed downstream through the global software supply chain. Over the last few years, these next-gen software supply chain compromises have significantly increased for both open source and commercial software products.

Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. Infiltration of the supplier’s network with malicious code prior to the final software product being delivered can also cause the supply chain to be compromised.

If a software package injected with malicious code proliferates to multiple consumers, it is much more difficult to confine; it may cause an exponentially greater impact compared to when a single customer is the target of a cyberattack.

Because of this, the customer also holds a critical responsibility in ensuring the security and integrity of software; not only do they acquire the software, but they are also responsible for deploying it. To avoid network exploitation, they should assess threats by conducting supply chain risk management (SCRM) activities and define risk profiles during the security requirements process. Developers and suppliers should also provide customers with guidance on how to verify the integrity of the software components.

Security is not just for the developers and suppliers, it’s for customers too. Until all stakeholders seek to mitigate concerns specific to their area of responsibility, the software supply chain cycle will be vulnerable and at risk for potential compromise.

This guidance for customers is the third and final segment in a three-part series on “Securing the Software Supply Chain.” Earlier this year, ESF published the first part for developers and second for suppliers and can be found on NRMC Resources.

Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell:  217-299-3954 |