In the newest addition to its Deliver Uncompromised series, the MITRE Corporation has released a new paper on security critical software supply chains. Noting that the current environment lacks systematic integrity, the authors say that a series of specific actions by the software development community and larger IT sector could significantly reduce the risk of compromise, exploitation, exfiltration, or sabotage from software supply chain attacks. “While no silver bullet exists, establishing and implementing an end-to-end framework for software supply chain integrity will reduce risks from too-big-to-fail applications that are central to private sector enterprises, governments, and the critical capabilities they rely upon each day,” they write.
They propose that NIST update its existing supply chain standard, NIST SP 800-161, to include a new framework for securing software supply chains and that the federal government require vendors, resellers, and integrators to implement this framework. The authors also propose that the government leverage the framework to identify trusted suppliers, and that the Department of Defense incorporate the standards into its Cybersecurity Maturity Model Certification.
Source:
- MITRE Corporation: Deliver Uncompromised: Security Critical Software Supply Chains