NIST’s role in enhancing software supply chain security

Introduction: Understanding NIST’s cybersecurity mission

Securing the software supply chain is a high priority for the Biden Administration and the federal government. The National Institute of Standards and Technology (NIST) plays a vital role in promoting best practices for cybersecurity and the software supply chain. NIST’s recent update to its Cybersecurity Framework (CSF 2.0) provides a clear set of guidelines for organizations to enhance their cybersecurity posture, meet compliance standards, and safeguard the network.‍

However, to bypass cybersecurity defenses, threat actors will switch tactics, and right now, they are exploiting weaknesses found in the software supply chain. Software supply chain security identifies vulnerabilities and risks and creates best practices to defend against threats.‍

NIST and software supply chain security

In 2021, NIST’s role in the software supply chain was put into action with Executive Order (EO) 14028. As the threat landscape evolves and expands, with the increase of vulnerability exploits or malicious code found in open-source libraries, the EO, a directive to improve the nation’s cybersecurity posture, requires NIST to develop guidelines around software supply chain security. ‍

Beyond the EO, there is NIST Special Publication 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations,” which set the foundation for comprehensive supply chain security practices. The practices that they recommend for building a solid software supply chain security program include:‍

• Risk assessment to best understand supply chain risks specific to your organization

• Supplier control that entails an evaluation into the security practices and systems of third-party vendors ‍

• Verifying the integrity of software components at each stage of their lifecycle using a Software Bill of Materials (SBOM)‍

• Build security into the software development process‍

• Develop a strong incident response and recovery plan with suppliers‍

• Continuously monitor the supply chain for changes and problems

‍

NIST’s guidance on container and image security

Containers are a vital component to the software supply chain. Simply put, it is an environment that packages code so that applications and their dependencies run quickly and efficiently and allow them to run on any operating system. A container image is a package with executable code necessary to run the application. Image security is critical for container security; a single compromised image can cause a domino effect of security incidents that expose sensitive data.‍

NIST addresses container security in its Special Publication 800-190, “Application Container Security Guide.” As many organizations are at the beginning of their journey with containers, this Special Publication outlines some of the security risks involved with containers, such as image vulnerabilities and supply chain attacks, and offers best practices for image security that include image scanning, least privilege access, and runtime protection.‍

The broader impact of NIST guidelines

NIST guidelines offer organizations a starting point to improve their overall cybersecurity standard. Small- and medium-sized businesses (SMBs), especially, know they need to implement even the most basic security best practices, but they don’t have the same internal resources or budgeting available as larger corporations. The NIST standards provide a starting point at no cost. ‍

These guidelines are a starting point for hard conversations companies need to have around cybersecurity and how to best meet their specific needs. The special publications cover a vast array of technologies, so organizations are able to better manage security around the risks they face. For SMBs that also have an active DoD contract, there is the NSA Cybersecurity Collaboration Center (CCC) that offers Defense Industrial Base (DIB) security services for free. And because their guidelines go through an exhaustive process that includes input from security professionals, they foster a broad organizational commitment to cybersecurity best practices.‍

Navigating the future with NIST

NIST CSF 2.0 was a response to a changing threat landscape and evolving government and industry regulations. Adding guidelines around governance in this second version shows their commitment to address these changes in the cybersecurity environment. In addition to CSF 2.0, NIST finalized new guidelines to protect sensitive information and is at work in meeting the security standards for AI outlined in an EO released in October 2023. ‍‍

NIST resources are free and readily available online for anyone who wants to improve their overall cybersecurity standards. Contact us for more information about container image security or NIST’s role.