The National Security Agency and the Cybersecurity and Infrastructure Security Agency jointly released an information sheet recommending security best practices for organizations with Continuous Integration/Continuous Delivery coding platforms.

The guidance was published amid potential threats from malicious cyber actors to compromise CI/CD pipelines, which are key to executing development, security and operations strategies, NSA said Wednesday.

Top risks in CI/CD pipelines include insecure codes, poisoned pipeline execution, misconfigured systems, the use of third-party services and exposure of security keys and secrets.

NSA and CISA urge organizations to implement a zero trust approach to detect threats and use NSA-recommended cryptographic algorithms to boost protection of data, secrets, keys and application programming interfaces.

Long-term credentials should be avoided in software authentication, but if it must be maintained, administrators should protect and manage all keys associated with them. Ephemeral credentials should also be used in cloud environments, the agencies stated.

The full document is available on the NSA website.

The Department of Homeland Security revised its acquisition regulation to enhance the protection and privacy of controlled unclassified information, and improve security incident reporting to the agency.

The rule, which takes effect on July 21, aims to refine standard procedures for responding to DHS contractors that encounter incidents with the agency’s sensitive data.

The Homeland Security Acquisition Regulation was amended to ensure security measures are in place for contractor or subcontractor employees who will access CUI. It contains requirements and processes for handling in-house or third-party information systems that will be used to collect or transmit CUI.

New HSAR language also includes mandates for contractors to have notification and credit monitoring services for individuals who may be affected by information system incidents because of their Personally Identifiable Information or Sensitive PII.

The Department of Defense Cyber Crime Center partnered with George Mason University to help address challenges in the full-scale launch of its Vulnerability Disclosure Program.

The collaboration was made possible through the National Security Innovation Network Capstone program, which is comprised of entrepreneurs and student technologists with innovations that are potentially beneficial to the DOD, the defense agency said Tuesday.

VDP began in 2016 as a pilot program with the Defense Industrial Base and was was designed to cast a wider net of protection for the DOD Information Network. Although the pilot proved successful, it faced scalability obstacles such as a larger workforce to meet higher demand for services.

A team from George Mason University Information Systems and Operations Management analyzed the lessons learned from the program and made recommendations to help resolve its labor-intensive challenges. Among the suggested solutions was the creation of a cloud-based portal to support DIB companies going through the VDP onboarding phase.

After eight weeks, the recommendations led to a 50-hour reduction in labor hours spent on the program, as well as a decline in onboarding processing time from eight hours to one hour per company. VDP expanded its DIB companies from 50 to 1,000 for the same operational budget.

The General Services Administration has released a request for information on vendors that could provide post-quantum cryptography products and services.

GSA has asked several questions regarding PQC-related tools and services that companies offer and risks and impacts to organizations’ information technology systems as they support federal, state, local and tribal entities, according to a notice published Tuesday.

The agency wants information on the changes and updates made by companies to address an Office of Management and Budget memorandum regarding the migration to PQC.

Interested stakeholders can also share the additions and changes they have implemented to comply with a 2021 cybersecurity executive order and national security memos issued in 2022 in relation to PQC.

Responses to the RFI are due July 11.