NSA Releases Recommendations to Mitigate Software Supply Chain Risks

In response to an increase in cyber attacks to supply chains over the past five years, including targeted attacks of software supply chains, the National Security Agency (NSA) published a new Cybersecurity Information Sheet (CSI), “Recommendations for Software Bill of Materials (SBOM) Management.” This CSI provides network owners and operators with guidance for incorporating SBOM use to help protect the cybersecurity supply chain.

Effective Software Bill of Materials (SBOM) management leverages identification of software components to mitigate cyber risk and support improved cybersecurity throughout the software’s lifecycle. According to the CSI, SBOM management should proceed in three steps. First, examine and manage risk before acquiring software. Second, analyze vulnerabilities after deploying new software. Third, implement incident management to detect and respond to new software vulnerabilities during vital operations. Accordingly, the CSI highlights best practices and provides recommendations for software users to help them incorporate SBOM management functions suitable to their Cybersecurity Supply Chain Risk Management (C-SCRM) strategy requirements. For additional information, see this previous CISA report on the SBOM Sharing Lifecycle. Lastly, last year, WaterISAC hosted a webinar that discussed product security including SBOM considerations, the recording of that presentation can be accessed here. Read the full CSI at the NSA.