The National Institute of Standard and Technology (NIST) has issued two documents meant to improve the integrity and security of the software supply chain in accordance with an executive order seeking to strengthen U.S. cybersecurity.
NIST said Friday it worked with the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) to come up with a publication that lists security measures for critical software use.
Security measures outlined in guidance to protect EO-critical software and related platforms include using multifactor authentication that is verifier impersonation-resistant; following privileged access management principles for network-based administration; establishing and maintaining a data inventory for EO-critical software; protecting data at rest and in transit; and using patch management practices.
NIST consulted with the National Security Agency (NSA) to develop guidance outlining minimum standards for vendors’ source code testing. The recommended minimum standards for developer testing include threat modeling, static or code-based analysis and dynamic analysis.
NIST developed the two documents by hosting virtual workshops and seeking position papers to seek feedback and insights from the public.
If you want to hear cybersecurity experts talk about how the tech supply chain can reduce the risk of cyberattacks and get ahead of hackers, then check out ExecutiveBiz's Supply Chain Cybersecurity: Revelations and Innovations Forum coming up on Oct. 26th. To register for this virtual forum and view other upcoming events, visit the ExecutiveBiz Events page.
