Headline
NIST Issues Guidance for Addressing Software Supply-Chain Risk
Amid ongoing software supply-chain jitters, the US’ top tech division is offering a finalized, comprehensive cybersecurity control framework for managing risk.
The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for addressing software supply-chain risk, offering tailored sets of suggested security controls for various stakeholders.
Software supply-chain attacks rocketed to the top of the enterprise worry list last year as the SolarWinds and Log4Shell incidents sent shockwaves through the IT security community. Security practitioners are increasingly concerned about the safety of open source components and third-party libraries that make up the building blocks of thousands of applications. Another cause of worry is the varied ways platforms can be abused, as in the Kaseya attack last year, when cybercriminals compromised a managed application, or with SolarWinds, where they hacked an update mechanism to deliver malware.
NIST’s latest publication (PDF) offers specific risk-management guidance for profiles such as cybersecurity specialists, risk managers, systems engineers, and procurement officials. Each profile matches up with a set of recommended controls, such as implementing secure remote access mechanisms for tapping the software supply chain, or enacting the principle of least privilege, or taking an inventory of all software suppliers and products.
“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST publication author Jon Boyens, in a Thursday announcement. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”
The development follows from an Executive Order issued by President Biden last year, which directs government agencies to “improve the security and integrity of the software supply chain, with a priority on addressing critical software.”
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe
Related news
The National Institute of Standards and Technology (NIST) on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector. "It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere