The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) have released a report offering joint guidance on how to secure the software supply chain. The guidance was created by a group that is primarily focused on mitigating risks facing critical infrastructure organizations and threatening national security. The Enduring Security Framework group provided recommendations on best security practices applicable to organizations, developers, and suppliers.
The report is broken up into three sections, one that addresses recommendations for software developers, another aimed at software suppliers, and the final part focused on the software customer and the organizations that purchase and maintain the software. The report also provides attack scenarios and mitigations. The agencies recommend paying strict attention to the organization’s requirements, particularly risk management activities. Additionally, organizations should perform product evaluation before signing contracts.