Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Software Security in Supply Chains: Software Verification

The third initiative launched by NIST in response to EO 14028 resulted in the Minimum Standards for Vendor or Developer Verification of Software. These guidelines, released in July 2021, focus primarily on developers supplying secure products and services to federal agencies. Technical descriptions and explanations to the guidelines were released as NISTIR 8397, Guidelines on Minimum Standards for Developer Verification of Software, in October 2021.

At a minimum, agencies should familiarize themselves with these guidelines and take action to ensure applicable recommended baseline practices are being performed by their suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers.

As with the security measures for critical software use, these recommended practices can be operationalized through the lens of SP 800-161, Rev. 1, acquisition guidance. Table F-5 outlines how the minimum software verification techniques can be used by federal agencies to enhance existing C-SCRM controls, control enhancements, and supplemental guidance from the lens of the acquirer.

Table F‑5: C-SCRM Control and Security Measure Crosswalk

Control Identifier

Control Name

EO Minimum Software Verification Technique Impact

AU-12

Audit Record Generation

  • Expand examples of “supply chain auditable events” to include supplier attestation (or third-party validation) that all relevant minimum software verification techniques were performed and passed. Attestation should accompany each installation, deployment, and/or upgrade of software.

SA-3

System Development Life Cycle

  • Integrate all applicable minimum software verification techniques into a supplier’s traditional SDLC activities.

SA-4

Acquisition Process

  • Include all applicable minimum software verification techniques into a supplier’s requirements for functional properties, configuration, and implementation information, as well as any development methods, techniques, or practices that may be relevant. To differentiate between assurance activities and their effectiveness, evaluation factors should include means for weighing the inclusion of each applicable minimum software verification technique, monitoring, and remediating findings.

SA-8

Security Engineering Principles

  • Incorporate threat modelling, fuzzing, and automation to determine the maximum possible ways that the ICT/OT product or service can be misused and abused by a supplier.
  • Expand the supplier’s security mechanisms to include the built-in checks and protections verification technique.

SA-9

External System Services

  • Ensure that minimum software verification techniques and results are documented alongside a supplier’s cyber-supply chain threats, vulnerabilities, and associated risks.

SA-10

Developer Configuration Management

  • Mandate that the supplier’s developer configuration management activities include checking software for known vulnerabilities, as well as the application of remediations and/or compensating controls to resolve or mitigate identified vulnerabilities.

SA-11

Developer Testing and Evaluation

  • Supplement suggested C-SCRM-relevant testing with all applicable minimum software verification techniques.

SA-15

Development Process, Standards, and Tools

  • Enhance threat modeling and vulnerability analysis activities to include the minimum software verification techniques, where applicable.

SA-22

Unsupported System Components

  • Incorporate automated testing and built-in checks, and address code (e.g., libraries, packages, services) verification techniques to proactively identify unsupported systems or system subcomponents.

SR-6

Supplier Assessment and Reviews

  • Augment baseline factors and assessment criteria to include a supplier’s minimum software verification techniques, where applicable.

SR-9

Tamper Resistance and Detection

  • Augment tamper resistance and detection control to include a supplier’s minimum software verification techniques, where applicable.

SR-11

Component Authenticity

  • Use automated scanning, and check included software techniques to continuously monitor configuration control for component service and repair activities as well as anti-counterfeit scanning.

SI-7

Software, Firmware, and Information Integrity

  • Expound on applicable verification tools to include all minimum software verification techniques, where applicable.

CM-3

Configuration Change Control

  • Incorporate automated scanning, fuzzing, and other built-in checks and protections into testing, validation, and the documentation of changes to control for supplier misconfiguration risks.

CM-6

Configuration Settings

  • Codify automated management, application, and verification activities to include all applicable minimum software verification techniques.

CM-10

Software Usage Restrictions

  • Mandate the use of all applicable software verification techniques when utilizing open source software components or licensed software (which may also apply to some open source software components).

 


Content:

Created May 3, 2022, Updated May 5, 2022