While the idea of being wary of a “weak link” may be a well-worn metaphor, it is proving to be a key focus in modern efforts to secure IT systems. The “software supply chain” refers to all technology elements used to create a software solution. Rarely, if ever, is modern software composed of one single program. Many pieces of technology are used to build and conduct the complex functions of digital solutions. If one of those elements has a security vulnerability, the entire piece of software is at risk—and by extension, so are the networks it touches.
The Log4Shell incident in 2021 illustrated how a security vulnerability in a small piece of software—a java logging framework buried several layers deep—could impact some of the most widely used and trusted software programs. By exploiting the vulnerability, hackers were able to use devices across government for cryptocurrency mining, creating botnets, sending spam, establishing backdoors, and other illegal activities such as ransomware attacks.
On the heels of the Log4Shell incident, The White House issued a memo, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, requiring federal agencies to obtain self-attestation from software providers that their solutions adhere to National Institute of Standards and Technology supply chain security requirements. In the summer of 2024, the General Services Administration began collecting attestation forms for new software contracts from providers and contractors.
These Secure Software Development Attestation Forms are available from the Cybersecurity and Infrastructure Security Agency. Among the many requirements covered, the form requires vendors to confirm that:
- Solutions are developed and built in secure environments.
- The company maintains provenance for internal and third-party components.
- The company has automated processes to check for vulnerabilities.
To meet these requirements, companies need mature security and development processes that follow industry best practices, including:
- Creation of a software bill of materials for each application, listing the components used in the software as well as the dependencies related to those components.
- Regular automated vulnerability scans.
- Use of multi-factor authentication and role-based access control for development, build, test, and production environments.
- Isolation of development, build, test, and production environments.
- Encryption of sensitive data.
- Clearly documented process for receiving and handling reports of possible vulnerabilities.
To learn more about how software supply chain security is being implemented, check out these resources from GovWhitePapers and GovEvents.
- Software Assurance in the Cyber Supply Chain Risk Management Lifecycle (white paper) – This guide focuses on the “secure by demand” approach, providing recommendations for agency personnel to engage in more relevant discussions about security practices with their enterprise risk owners (such as CIOs and CISOs) and candidate suppliers.
- Developing Supply Chain Risk Management (SCRM) Initiatives in the Federal Government (white paper) – With increasing reliance on technology, there is a growing need to address potential vulnerabilities and risks associated with procuring, using, and securing products and services. In a recent roundtable discussion, federal experts shared the opportunities and challenges they encounter with SCRM.
- Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption (white paper) – This document provides guidance in line with industry best practices and principles for managing open source software and software bills of materials to maintain and provide awareness about the security of software.
- 2024 Tech Summit (October 24, 2024; Arlington, VA) – Organized by AFCEA Washington DC, this summit will cover a range of topics, including Artificial Intelligence (AI), cybersecurity, cloud services, supply chain security, and Zero Trust architectures, among others.
- CyberTalks 2024 (October 30, 2024; Washington, DC) – This event is an opportunity to hear from the leading voices at the intersection of government and the technology industry on the latest tactics to combat ever-evolving cybersecurity risks.
Explore more government software security supply chain advice and guidance at GovWhitePapers and GovEvents.
