Latest Guidance Outlines Customer Responsibilities for Software Security

Several agencies published the last part in a series about securing the software supply chain, this time focusing on customers. 

The guidance, released Thursday by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence, gives recommendations for software customers “to ensure the integrity and security of software during the procuring and deployment phases.”

The agencies provided recommendations throughout the software lifecycle, including: defining requirements, to product evaluation, contracts, deployment, testing, integration, product roll-out, upgrades and training. 

For example, recommendations include: keeping security and risk assessments up-to-date, mandating sufficient protection and control of geolocation data and metadata; and specifying and assigning individual roles, among other things.

This customer guidance follows a similar August document for developers and October guidance for suppliers. However, the report for developers was met with mixed reviews from industry. 

The series––Securing Software Supply Chain––is a product of the Enduring Security Framework, a CISA and NSA-led public-private cross-sector working group.