NIST Now Analyzing Software Supply Chain Workshop Discussions, Position Papers

More than 1400 participants took part in the June 2-3, 2021, National Institute of Standards and Technology (NIST) workshop on enhancing the security of the software supply chain. That workshop helps to fulfill the President’s Executive Order on Improving the Nation’s Cybersecurity (14028), issued on May 12, 2021.  

NIST now is reviewing and analyzing the discussions at that virtual workshop, including questions and answers offered by panelists and in a lively exchange in the “chat” feature which maximized participants’ engagement. Key points made during those four panels included:

• Panel 1 – Criteria for Designating Critical Software
  • Limit the scope of critical software; if everything is critical, nothing is critical.
  • A phased approach will help make the program successful.
  • Consideration should be given to the diversity of the software marketplace.
• Panel 2 – Secure Software Development Standards, Practices, and Conformance.
  • A flexible, outcome-based approach to secure software development is necessary to accommodate the range of environments, platforms, languages, protocols, etc.
  • When generating artifacts for demonstrating conformance with secure software development practices, software suppliers should strive for transparency, accountability, auditability, and immutability.
  • NIST’s Secure Software Development Framework (SSDF) already includes many of the practices needed to meet the EO requirements and maps to numerous existing standards and guidelines.
• Panel 3– Tools and Techniques for Testing Software
  • Threat modeling should initially drive testing goals and plans.
  • Use static analysis, that is, automatic code examination for bugs or suspicious pattern, in addition to executing test cases.
  • Choose languages, architectures, protocols, etc. for which a mathematical proof can be constructed that the software will behave as intended.
  • Fuzzing is valuable because the cost in human resources is low and it tends to exercise bizarre cases that had not been considered.
  • At least one developer should have security training: specifically, a course where they had to break into a program.
• Panel 4– Security Measures for Critical Software
  • Organizations (agencies) should be conducting basic “cyber hygiene” regardless of the definition of critical software, including practices stated in the EO (least privilege, network segmentation, and proper configuration), but also others such as authentication, patching, vulnerability management, logging, and network security.
  • Even with a definition of critical software and the DHS list of categories, organizations (agencies) will still need to implement a risk-based approach and apply context-driven activities, such as conducting or utilizing criticality analysis.

Presenters at the workshop were selected based on the nearly 150 position papers submitted. NIST also is reviewing each of those position papers in detail as it aims to meet requirements of Section 4 of the Executive Order. That order directs the Secretary of Commerce, through NIST, to consult with federal agencies, the private sector, academia, and other stakeholders in identifying standards, tools, best practices, and other guidelines to enhance software supply chain security. NIST is assigned tight deadlines for establishing those standards and guidelines – which will be used by other agencies to govern the federal government’s procurement of software.

Additional information is available on a dedicated NIST website. Inquiries may be directed to: swsupplychain-eo [at] nist.gov (swsupplychain-eo[at]nist[dot]gov)