Provide chain security continues to obtain crucial focus within the realm of cybersecurity, and with good purpose: incidents akin to SolarWinds, Log4j, Microsoft, and Okta software program provide chain assaults proceed to affect each main proprietary software program distributors in addition to extensively used open-source software program elements.
The priority is international. Rules and necessities are evolving world wide as governments look to mitigate dangers from software program provide chain assaults, and subjects akin to secure-by-design, safe software program improvement, software program legal responsibility and self-attestations, and third-party certifications are dominating the dialogue.
Software program suppliers will more and more must be aware of the necessities because the panorama evolves. With attackers trying to exploit extensively used software program suppliers, these necessities are meant to assist mitigate the danger to governments and nations world wide from software program provide chain assaults.
From nations producing home safe software program necessities to international efforts aimed toward blunting the hazards of representing a world focus, under are a few of the most notable initiatives and packages aimed toward defending the software program provide chain.
United States
The Cyber Government Order
A lot of the US software program provide chain security steering and necessities may be traced again to Government Order (EO) 14028 “Government Order on Enhancing the Nation’s Cybersecurity”. Whereas the EO itself did not create most of the related necessities it set the rules behind most of them. Part 4 specifically focuses on “enhancing software program provide chain security” and lays out necessities for the Nationwide Institute of Requirements and Expertise (NIST), the Workplace of Administration and Funds (OMB), the Cybersecurity and Infrastructure Safety Company (CISA) and others.
OMB 22-18 and 23-16
Per the Cyber EO, the Workplace of Administration and Funds (OMB) issued two memos, 22-18 and 23-16 every of which focuses on software program provide chain security and begins pushing for necessities akin to for all software program suppliers promoting to the US Federal authorities to begin to self-attest to following safe software program improvement practices, akin to NIST’s Safe Software program Growth Framework (SSDF). It additionally requires the usage of SBOMs in some instances and even the usage of a third-party evaluation group if an company warrants the danger is important sufficient.
