New NIST Software Supply Chain Security Guidance Recommends Use of Security Ratings

New guidance from the U.S. National Institute of Standards and Technology (NIST) provides important information for organizations seeking to improve their software supply chain security. NIST recommends a variety of best practices, which include:

• Leveraging commercially-available tools like security ratings
• Evaluating vendor attestations
• Incorporating security into contract requirements

The NIST guidance was required from the May 2021 U.S. Executive Order (EO) on Improving the Nation’s Cybersecurity. The EO includes provisions designed to improve software supply chain security, including methods to reduce vulnerabilities in the software developed, as well as the cybersecurity practices of the software developers and suppliers themselves. 

The EO was written in response to a dramatic increase in software supply chain security incidents impacting Federal and commercial organizations. In recent years, malicious actors have continuously exploited new and existing vulnerabilities in software—as well as the security programs of IT and software providers—in order to gain unlawful access to customers and data. Major events impacting SolarWinds, Microsoft Exchange Servers, Atlassian, and countless others highlight the risks that organizations face when software and software developers are exploited. 

The EO creates new requirements for federal agencies to implement robust software supply chain security programs. Federal agencies are now required to adopt new standards and tools to ensure the security of their software supply chains, including criteria to monitor and evaluate the security practices of the developers and suppliers themselves.

The EO also directed NIST to examine best practices for software supply chain security and issue recommendations for both Federal and commercial entities to consider implementing.

NIST’s Software Supply Chain Security Guidance highlights key capabilities that will help organizations reduce risk from software vendors and other critical businesses in the software supply chain. Notably, NIST recommends that organizations: 

• Assess and analyze vendors who utilize open source data and (as resources permit) commercially available third-party assessment and security ratings platforms. 
• Require vendors to periodically self-attest to adopting strong security and development practices
• Include flow-down requirements to sub-tier suppliers.
• Prioritize or mandate the use of suppliers who provide a software security label or data sheet that should include information about the software itself.

Bitsight is proud to work with more than 2,500 customers, including over 130 global government agencies, as they implement supply chain risk management programs. If your organization is considering a program to reduce supply chain risk, our advisors are standing by to speak with you and provide advice and consultation.