Deliver Uncompromised: Securing Critical Software Supply Chains

By Charles Clancy, Ph.D. , Joe Ferraro , Robert Martin , Adam Pennington , Christopher Sledjeski , Craig Wiener, Ph.D.

In the wake of the SolarWinds software supply chain attack, MITRE experts propose the establishment of an end-to-end framework for software supply chain integrity.

Download Resources

A series of actions, if taken by the software development community and the larger information technology ecosystem, can significantly reduce the risk of compromise, exploitation, exfiltration, or sabotage from software supply chain attacks.

While no silver bullet exists, establishing and implementing an end-to-end framework for software supply chain integrity will reduce risks from too-big-to-fail applications that are central to private sector enterprises, governments, and the critical capabilities they rely upon each day.

The current state of practice in software supply chain security lacks systematic integrity. There are insufficient interoperable tools for preventing, detecting, or remediating software supply chain attacks that go beyond tools available for general cybersecurity threats. Given the potential impacts from software supply chain attacks, we cannot treat them as just another cybersecurity breach.

Within this paper we propose the following framework be developed to bolster the integrity of our software supply chains:

  • The software industry must adopt a standard scalable, interoperable Software Bill of Materials (SBOM)-based supply chain metadata approach that can track composition and provenance of every component in a software product, provide metadata integrity for each software component and its pedigree, and use that metadata to systematically characterize and manage risk.
  • Cryptographic code signing and associated validation infrastructure needs to mature to reflect the complexity and diversity of today’s software supply chains, and prepare for the rapid deployment of expected new standards for post-quantum digital signatures.
  • Systems involved in building and distributing software and software updates, at a minimum, must meet higher levels of assurance, such as National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev 5.

NIST should update their existing supply chain standard, NIST SP 800-161, to include this framework.

The United States (U.S.) federal government should require this framework be implemented by vendors, second- or third-party resellers, and integrators as it acquires services and supplies, and use this framework as part of selecting appropriately trustworthy suppliers, supplies, and services. For example, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program should include use of this framework as part of its criteria.

Longer-term, industry standards such as the International Organization for Standardization (ISO) 270016 should be updated to include this framework.