CISA and NIST release guidance on software supply chain attacks

CISA and NIST release guidance on software supply chain attacks

April 28, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) have released a new resource that reviews software supply chain risks and offers recommendations for identifying, assessing, and mitigating those risks.

A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to customers. The compromised software can then further compromise customer data or systems.

Newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix. In these cases, the compromise still occurs prior to the patch or hotfix entering the customer’s network. These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers.

The new interagency resource, Defending Against Software Supply Chain Attacks, also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and secure software development frameworks (SSDF) to identify, assess, and mitigate risks.

CISA encourages users and administrators to review Defending Against Software Supply Chain Attacks and implement its recommendations.

Read more:

Download the document: