White House Releases Software Supply Chain Security Guidance

The White House published a memo requiring agencies to comply with guidance from the Office of Management and Budget (OMB) which aims to improve software supply chain integrity and security. 

Signed by OMB Director Shalanda Young, the memo builds on Executive Order (EO) 14028, Improving the Nation’s Cybersecurity from May 2021, which is focused on the security and integrity of the software supply chain.

That EO emphasized the importance of secure software development environments and directed the National Institute of Standards and Technology (NIST) to issue guidance identifying practices that enhance the security of the software supply chain.

The recent memo, published on September 14, requires each federal agency to comply with the NIST guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, said it is heartening to see the memo establish a desire for consistency in the process by which they obtain self-attestations from suppliers.

“Such consistency and any eventually-centralized repository should help minimize the burden suppliers have in complying with the requirements of this memo,” he explained. “This is the first point where we have a directive for agencies to comply with guidance emerging from EO 14028.”

Software Supply Chain Security: A Challenging Space

Mackey said the single most important thing to realize is that software security is a problem space and that there is no silver bullet.

“No single action will prevent the next ransomware attack and the execution of tools doesn’t inherently fix vulnerabilities,” he said. “This is a highly technical space that is rather complex and nuanced. Well-intentioned humans will always make some mistakes and perfection isn’t attainable.”

That means the IT security industry needs to accept that software will always have weaknesses that can be exploited in certain circumstances.

“The moment you combine software into a supply chain, the potential for weaknesses increases and the potential for the authors of components within the supply chain to know the circumstances of how their software is used goes down,” Mackey said. 

Rick Holland, CISO and vice president of strategy at Digital Shadows, a provider of digital risk protection solutions, said from his perspective, the White House’s EO on improving the nation’s cybersecurity was a step in the right direction.

He said the OMB guidance is another good step; however, he added that this is a very long journey that will be measured not in months, but in years and, possibly, decades.

“The guidance focuses on vendor self-attestations and not independent validation,” he pointed out. “A government software supplier could claim to comply with NIST standards, but without third-party confirmation, the agency won’t know for sure. Zero-trust principles should apply here, too; don’t trust that a supplier is compliant—confirm it.”

He argued that the biggest threat to supply chain security is the complexity in defending against supply chain threats.

“Point-in-time security questionnaires are a legal requirement, not a preventive control. The number of third-party providers can be staggering, with security teams having to assess hundreds of providers,” he said.

Holland pointed out that security teams often don’t know the sensitive data their suppliers can access or the attack paths coming from their partners.

“Adversaries often do a better job of data discovery than defenders,” he added. 

A Plan For Moving Forward

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation, said the idea behind the government’s plan is good and the NIST guidelines are solid.

“What remains to be seen is how vendors will implement the guidance and whether it is enough to deal with a very dynamic threat space,” he added. 

He said while zero-day vulnerabilities still get the biggest headlines, the fact remains that users represent the broadest threat surface.

“Phishing, social engineering and other attacks against personnel remain consistent threat vectors and will almost certainly remain so,” he explained. “Having the most secure application code and supply chain won’t help when users are still giving up their passwords.”

Parkin said by requiring third-party vendors to adhere to the NIST standards, they can encourage them to develop software that is more secure and more robust—but that only really applies to vendors that want to work in the government space.

“They can’t necessarily push those standards on the public sector,” he noted. “And without a robust testing scheme to assure that when a vendor says ‘We comply’, that they actually do, some risks will remain.”

Mackey said mitigating software supply chain threats requires an understanding of the risk such threats pose to both the production of software and its associated operation and communicating the nature of those risks from producers to operators.

Properly managing software supply risk requires teams to move from a paradigm where tools are run and teams “do security” to one where the impact of findings from tools are understood and mitigations are made based on the context of how the given application runs.

“Solving this problem requires teams to think in terms of risk analysis first and then identify which tooling is best positioned to provide data supporting the analysis,” he explained.

Parkin added that threat actors have always adapted to the defenses put in place to stop them, and it’s difficult to say what technique they’ll shift to next.

“They will continue to look for vulnerabilities in the software, and they will continue to go after the users using whatever technique they find works,” he warned.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 242 posts and counting.See all posts by nathan-eddy