Articles Featured

Securing the Software Supply Chain 101

June 27, 2023

Securing the Software Supply Chain 101

Class is now in session.

CUI. SBOM. NIST. Executive orders. Critical software. Mix them all together and you’ve got a more secure supply chain. But it’s all just a mishmash of words until you know what they mean.

A supply chain attack happens when someone infiltrates your system through an attack on a system in your supply chain. Whether through malware, phishing or some other hack, a supplier got infiltrated and now they have a way into your system.

The Solar Winds attack is an example. As many as 250 organizations were impacted by a breach in Solar Winds’ Orion platform. The hackers used that breach to distribute trojanized updates to Solar Winds customers, and from there, the attack went viral. As a result, companies in the government supply chain are required to comply with cybersecurity standards if they want to keep their contracts.

The Executive Orders that created it all.

To truly understand supply chain cybersecurity, you need the story behind the story. While most think of President Joe Biden’s Executive Orders 14017 and 14028 in 2021, “America’s Supply Chains and Improving the Nation’s Cybersecurity,” as the starting point, it really had its origins in President Obama’s Executive Order 13556. This EO pulled together all the disparate markings for unclassified data under the singular definition of Controlled Unclassified Information, or CUI.

For the first time, the CUI definition included information not in the government’s direct control. This included health records, tax holder data and other data necessary to protect citizens’ and the government’s interests. This EO also directly led to the publication of the National Institute of Standards and Technology (NIST) standard 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

NIST 800-171 is a seminal secure supply chain document that lays out the security requirements for protecting CUI data for industry. The U.S. Department of Defense then established the Cybersecurity Maturity Model Certification (CMMC). CMMC adds requirements for cyber hygiene maturity to the NIST 800-171 requirements, together with third-party certification for organizations handling CUI.

Now you need to inventory all your software components.

President Biden’s EO 14028 stated that “protecting our nation from malicious cyber actors requires the federal government to partner with the private sector.” It goes on to say, “incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”

This EO led to creating the Software Bill of Materials (SBOM) that requires government suppliers to inventory and keep the lineage of all the software components they use, including open source software. This helps evaluate the risk in a product and secure it in the system. The same EO also defines and distinguishes the concept of critical software.

How do you know if software is critical?

Not to be confused with necessary, expensive, or mission-critical software, critical software is defined as “software that performs functions critical to trust.” Critical software has at least one of the following attributes:

Is designed to run with elevated privilege or manage privileges
Has direct or privileged access to networking or computing resources
Is designed to control access to data or operational technology
Performs a function critical to trust
Operates outside of normal trust boundaries with privileged access

These specifics are necessary because the federal government will secure the supply chain for critical software very differently from all other software. It will require a much more intensive supply chain review on how they get updates, for example—a direct result of the Solar Winds attack.

A roadmap for supply chain cybersecurity.

One of the big deliverables that came out of EO 14025 is NIST 800-53, version 5, which includes a whole new section of 12 controls for securing the supply chain. In addition, NIST 800-218, Secure Software Development Framework, addresses a detailed framework for creating and maintaining a secure development environment. These, combined with other guides created as a result of the EO, give a roadmap, recommendations and best practices to follow as you help the government secure their supply chain and shore up security for your organization.

The work is time-intensive, so automate what you can.

The government has put together lists of best practices to follow. One of these is simply having good cyber hygiene—your systems are hardened, you have two-factor authentication on your volumes and repositories, and other such measures.

A good deal of that part can be automated, which will come in handy as the amount of time and effort to comply with supply chain mandates is significant. SteelCloud’s ConfigOS Command Center and ConfigOS MPO can help you meet your CMMC requirements (and align with the same hardening controls the government uses) in minutes and hours, rather than days or weeks. Download our CMMC for Dummies ebook and watch our 6 minute video on how to Secure the Federal Supply Chain with automation.

Share This Resource:

Automation / CMMC 2.0 / CUI / cybersecurity / EO / mission-critical software / NIST / SBOM / secure / software supply chain

10 ½ Reasons You Should Automate CIS Compliance Prev post

VIDEO: CORA Inspections: What You Should Know Next post

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Securing the Software Supply Chain 101

Class is now in session.

The Executive Orders that created it all.

Now you need to inventory all your software components.

How do you know if software is critical?

A roadmap for supply chain cybersecurity.

The work is time-intensive, so automate what you can.

Resource Library

Recent Resources

Featured Resources

Visual Guide to System Hardening and Automation

How to Harden Systems Easily and Affordably

VIDEO: How to Overcome Budget and Staff Cuts with Automation

What We Do

Company

Support