CISA, NSA and industry outline security responsibilities of software suppliers

Software suppliers have unique responsibilities maintaining efficient delivery of their products while considering security risks, according to guidance the National Security Agency recently released, together with the Cybersecurity and Infrastructure Security Agency.

“Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components and harden the build environment,” reads an Oct. 31 press release from NSA. “But the supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.”

The document aimed at software suppliers is one in a series of three. The Enduring Security Framework—which includes U.S. government officials as well as industry representatives from the information technology, communications and defense sectors—released guidance for developers in September and plans to next address the security responsibilities of software consumers. 

Security best practices for producers and users of software have already been articulated, most notably in the National Institute of Standards and Technologys’ Secure Software Development Framework, which NIST used to meet its obligations to deliver guidance for federal agencies under Executive Order 14028. 

President Joe Biden issued the order in May, 2021, responding to the SolarWinds event where customers of the ubiquitous IT management firm were compromised, after installing what appeared to be a routine update. The hackers had gained unauthorized access to SolarWinds’ delivery mechanism and cloaked their malware in the new code.

“This series will help foster communication between these three different roles and among cybersecurity professionals that may facilitate increased resiliency and security in the software supply chain process,” according to the document, which does not elaborate on its distinction between software developers and software suppliers. 

Biden’s order stressed agencies’ responsibility to scrutinize the software they purchase and the Office of Management and Budget required procurement officials to collect a form—to be created by CISA—that software vendors can sign in order to self-attest adherence to practices identified in the NIST guidance. An appendix included in the document suggests developers should be primarily responsible for implementing those practices, while suppliers should be primarily responsible for testing their effectiveness.