CISA, NSA, ODNI Announce New ESF Guidance for Software Suppliers/Vendors

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) partnered with industry and government experts under the Enduring Security Framework (ESF) to release Securing the Software Supply Chain Recommended Practices Guide for Suppliers and accompanying fact sheet.

Software suppliers/vendors act as a liaison between the customer and the software development team; ensuring software is developed in a secure environment and delivered via secure channels. To ensure a more secure software supply chain, Suppliers should seek to identify threats that could compromise the organization, software development, software itself, and software delivery (i.e. on-premise or Software-as-a-Service (SaaS)) environments and implement associated mitigations.

Recent cyberattacks such as those executed against SolarWinds and its customers, and exploits that take advantage of vulnerabilities such as Log4j, highlight weaknesses within software supply chains, an issue which spans both commercial and open-source software and impacts both private and government enterprises. Accordingly, there is an increased need for software supply chain security awareness and cognizance regarding the potential for software supply chains to be weaponized by nation state adversaries using similar tactics, techniques, and procedures.

This guidance has been created by the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework Working Group, a public-private working group that provides cybersecurity guidance addressing high-priority cyber threats to the nation’s critical infrastructure. In line with industry best practices and principles, software suppliers are encouraged to review and reference this new guidance.

This guidance for suppliers is the second in a three-part series on “Securing the Software Supply Chain.” In September, the first part for developers was published; the third and final segment will be for software customers, such as those who acquire software for the federal government. The series can be found here.


Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell:  217-299-3954 |