Hi All,
The NSA, ODNI, and CISA developed this document to further their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity recommendations and mitigations.
This document will provide guidance in line with industry best practices and principles, which software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing).
Unmitigated vulnerabilities in the software supply chain pose a significant risk to organizations. This paper presents actionable recommendations for a software supply chain's development, production and distribution, and management processes to increase the resiliency of these processes against compromise. All organizations have a responsibility to establish software supply chain security practices to mitigate risks, but the organization's role in the software supply chain lifecycle determines the shape and scope of this responsibility. Because the considerations for securing the software supply chain vary based on the organization's role in the supply chain, this series presents recommendations geared toward these important roles, namely, developers, suppliers, and customers (or the organization acquiring a software product).
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------