Keep Software Supply Chains Secure With New Federal Guidance

NIST SP 800-161 Revision 1 recommends three levels of supply chain security strategies. Essential practices include creating a Program Management Office for supply chain risk management (C-SCRM), developing incident management measures and requiring suppliers to identify vulnerabilities. Sustaining practices involve incorporating C-SCRM requirements into supplier contracts. Enhancing practices include using automation and metrics for better C-SCRM management. Guidelines from CISA, NSA and ODNI also suggest software suppliers provide a software bill of material and verify it against known vulnerability databases.