Roundup: Global software supply chain security guidance and regulations
Supply chain security continues to receive critical focus in the realm of cybersecurity, and with good reason: incidents such as SolarWinds, Log4j, Microsoft, and Okta software supply chain attacks continue to impact both leading proprietary software vendors as well as widely used open-source software components.
The concern is global. Regulations and requirements are evolving around the world as governments look to mitigate risks from software supply chain attacks, and topics such as secure-by-design, secure software development, software liability and self-attestations, and third-party certifications are dominating the dialogue.
Software suppliers will increasingly need to be familiar with the requirements as the landscape evolves. With attackers looking to exploit widely used software suppliers, these requirements are intended to help mitigate the risk to governments and nations around the world from software supply chain attacks.
From nations producing domestic secure software requirements to global efforts aimed at blunting the dangers of representing an international focus, below are some of the most notable initiatives and programs aimed at protecting the software supply chain.
United States
The Cyber Executive Order
Much of the US software supply chain security guidance and requirements can be traced back to Executive Order (EO) 14028 “Executive Order on Improving the Nation’s Cybersecurity”. While the EO itself didn’t create many of the associated requirements it set the guidelines behind most of them. Section 4 in particular focuses on “enhancing software supply chain security” and lays out requirements for the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and others.
OMB 22-18 and 23-16
Per the Cyber EO, the Office of Management and Budget (OMB) issued two memos, 22-18 and 23-16 each of which focuses on software supply chain security and begins pushing for requirements such as for all software suppliers selling to the US Federal government to start to self-attest to following secure software development practices, such as NIST’s Secure Software Development Framework (SSDF). It also calls for the use of SBOMs in some cases and even the use of a third-party assessment organization if an agency warrants the risk is significant enough.