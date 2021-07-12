Supply Chain Security

The National Institute of Standard and Technology (NIST) has issued two documents meant to improve the integrity and security of the software supply chain in accordance with an executive order seeking to strengthen U.S. cybersecurity.

NIST said Friday it worked with the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) to come up with a publication that lists security measures for critical software use.

Security measures outlined in guidance to protect EO-critical software and related platforms include using multifactor authentication that is verifier impersonation-resistant; following privileged access management principles for network-based administration; establishing and maintaining a data inventory for EO-critical software; protecting data at rest and in transit; and using patch management practices.

NIST consulted with the National Security Agency (NSA) to develop guidance outlining minimum standards for vendors’ source code testing. The recommended minimum standards for developer testing include threat modeling, static or code-based analysis and dynamic analysis.

NIST developed the two documents by hosting virtual workshops and seeking position papers to seek feedback and insights from the public.

