The Cybersecurity and Infrastructure Security Agency (CISA) along with the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) published the final part of the three-part series on securing supply chains on Nov. 17.
The guidance – Securing Software Supply Chain Series – Recommended Practices Guide for Customers – was published in its initial form earlier this year, and provides guidance to suppliers on how to best protect against cyberattacks.
“The guidance released today, along with the accompanying fact sheet, provides recommended practices for software customers to ensure the integrity and security of software during the procuring and deployment phases,” the agencies said in a press release.
The document focuses primarily on how both vendors and their clients can both protect themselves. Some of the recommendations include:
- Keep security requirements and risk assessments up-to-date using business processes and require adequate protection and control of geolocation of data and metadata;
- Assign individual roles to verify domain-specific and organizational security requirements;
- Require suppliers’ self-attestation of cybersecurity hygiene for their development process, the infrastructure supporting the development process, and the infrastructure supporting the development of their products; and
- Require the supplier to inform all customers on how to verify the integrity of all software components.
