Hi All,
NSA just pblished Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption
Unmitigated vulnerabilities in the software supply chain pose a significant risk to organizations. This paper builds on the previously released Recommend Practices4 for a software supply chain's development, production, distribution, and management processes, to increase the resiliency of these processes against compromise. This guidance also builds upon and supports the Office of Management and Budget (OMB) memorandum on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (M-22-18)5.
Because the considerations for securing the software supply chain vary, this follow-on guidance focuses on Software Bill of Material (SBOM) Consumption and open source software (OSS). This information will help continue to foster communication between the different roles and among cybersecurity professionals that may facilitate increased resiliency and security in the software supply chain process.
All organizations are encouraged to proactively manage and mitigate risks as a part of evolving secure software development practices. An organization's role as a developer, supplier or customer of software in the software supply chain lifecycle will continue to determine the shape and scope of this responsibility.
It is recommended that acquisition organizations assign supply chain risk assessments to their buying decisions given the recent high profile software supply chain incidents. Software developers and suppliers should improve their software development processes and reduce the risk of harm to not just employees and shareholders, but also to their users.
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe
------------------------------