NSA, CISA and ODNI release new software supply chain guidelines for developers

Maskot/Getty Images

An interagency, public-private working group “strongly encouraged” software developers to begin implementing a suite of best practices aimed at further securing the software development lifecycle.

The National Security Agency has released the first set of new guidance for developers in a series of directives aiming to bolster software supply chain security in collaboration with the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence.

An interagency, public-private software supply chain working group published the guidance on Thursday in response to a White House executive order last year which mandated new security standards and updated requirements for the federal government's software supply chain. The first part of the series focuses on software developers, whereas the forthcoming two directives will separately address software suppliers and their customers, according to an NSA press release accompanying the guidelines. 

"Security is not just for the developer," the press release read. "We all have to do our part to secure our networks."

The guidelines include best practices on open source management, verifying third-party components, delivering code, component maintenance, hardening the build environment and more. They also feature various threat scenarios and recommended mitigation techniques.

The Enduring Security Framework software supply chain working panel said it "strongly encouraged" developers to reference the document for designing software architecture from a security perspective, as well as maintaining that security and the underlying infrastructure. 

The working group said the need for a standardized set of best practices around software supply chain security became clear following the 2020 SolarWinds ransomware attack, in which suspected Russian-linked cyber criminals injected malicious code into the company's software systems, impacting government and private sector customers nationwide.

To mitigate potential vulnerabilities, the guidelines suggest organizations implement a vulnerability submission system to identify, collect and track product defects, as as a central company-wide Product Security Incident Response Team to collaborate with external researchers, increase transparency and practice responsible disclosure methods. 

NSA did not specify when it planned to publish the remaining two parts of the guidelines for suppliers and customers. The agency did not immediately respond to a request for comment.