3rd Party Risk Management , Governance & Risk Management , Government

NIST Offers Concrete Steps for Secure Software Development

New Guidelines Include 'Absolutely Crucial' Steps to Enhance Security, Experts Say
NIST Offers Concrete Steps for Secure Software Development
The National Institute of Standards and Technology has issued guidance for supply chain security assurances in CI/CD pipelines. (Image: Shutterstock)

Recommendations from the U.S. federal government about securing software supply chains can be generic - but experts say guidance published Wednesday by the National Institute of Standards and Technology offers actual concrete steps for integrating security into every phase of the software development life cycle.

See Also: Zero Trust Unleashed: Keeping Government Secrets Safer Than the Crown Jewels

NIST recently issued SP 800-204D, its final guidelines for software providers on implementing the building blocks of supply chain security assurances into continuous integration and continuous delivery pipelines. The guidance recommends that manufacturers prioritize a series of actionable measures, including establishing baseline security requirements for integrating open-source software and expanding oversight of provenance data.

"This framework comes right in time," said Henrik Plate, a researcher for the software security firm Endor Labs who has been tracking NIST SP 800-204D since a draft version was first published in September.

The guidance describes NIST's Secure Software Development Framework and the administration's cybersecurity executive order issued in 2021 as a road map to provide the basis for its latest set of recommendations, along with input from industry and stakeholders. Previous guidelines such as the SSDF only provided high-level secure development practices that were agnostic to specific software development life cycles and technologies, according to Plate.

Plate told Information Security Media Group the new guidance "goes one step further" by providing manufacturers with a detailed set of measures to bolster supply chain security, such as continuous scanning of dependencies for known vulnerable versions and malware. He said the measures are "absolutely crucial" steps that "need to be performed during pipeline execution."

Federal software providers will soon be required to sign a self-attestation form developed by the Cybersecurity and Infrastructure Security Agency to confirm that their systems have been securely developed in compliance with the SSDF and other standards developed by NIST. The SSDF tasks providers with ensuring they can “protect all components of the software from tampering and unauthorized access” and appropriately respond to critical vulnerabilities, but some critics say the framework lacks more technical details required to fully implement those demands.

The Office of Management and Budget in June delayed the deadline for the federal government to begin collecting attestation forms from contractors and provided additional information in a memo that details what agencies are actually mandated to collect from software providers. Agencies will only be required to collect attestations from the "producer of the software end product" rather than from producers of all third-party software components, according to OMB.

It remains unclear when agencies will be required to begin collecting the attestations. The next formal step is for the White House to approve the CSIA form under a statute known as the Paperwork Reduction Act, after which critical software providers will have three months to start submitting forms and other providers will have six months. OMB has not set a timeline for when the White House plans to review or approve the form and did not respond to a request for comment.

Plate said the guidance is especially useful "in the context of the upcoming self-attestation, which has been postponed for now, but which will at some point require software suppliers for federal agencies to self-declare adherence to the SSDF."

The guidance clarifies expectations for federal software contractors that seek to self-declare adherence to the SSDF and includes steps to ensure that providers are integrating security throughout software life cycles and into CI/CD pipelines. The steps include defining roles and responsibilities, using isolated platforms throughout the building stages of software development and automating the entire CI/CD pipeline by deploying appropriate tools.

The guidance also urges software providers to heavily invest in automated tools and techniques to scan pipelines, conduct integrity tests and help oversee repositories and source-code management systems.

The guidance aligns with broader calls "to provide assurances around not just final artifact of software, but the development processes, machines, users and more who were involved in it," according to Chris Hughes, chief security architect at Endor Labs and a fellow for the Cybersecurity and Infrastructure Security Agency, focusing on supply chain security.

CISA has led efforts to transfer cybersecurity risk from end users to software developers, and it recently began issuing "secure by design alerts" with the FBI that focus on how manufacturers can shift the burden of security away from customers by building it into the software life cycle.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.