Secure Software Supply Chains - Regulations, Frameworks, and Standards
Introduction
In one of our previous blog posts, we touched on the subject of Secure Software Supply Chains (SSSC). In this post, we are going to delve deeper into the subject. A blog post is not enough to do complete justice to this very important subject, but we hope to provide the reader with an overview of this emerging and important field.
While securing software supply chains is somewhat of a new field, the risks were always there. Prior to the Solar Winds incident, the magnitude of the issue, and its potential impact, was often ignored. Solar Winds has shone the spotlight on the issue.
Since 2020 the IT field has exploded with new government regulations, new terminology, evolving standards centered on SSSC. All of this has also created a multitude of vendor solutions to all your SSSC problems. Making sense of everything that is going on may feel like going down the rabbit hole.
What follows provides an overview of the regulations, standards, and groups as they exist today. We don’t pretend that this overview is going to be complete, because the field is changing all the time, but we believe that basic principles, regulations, and standards are mature enough that they are here to stay, even if they are going to continuously evolve.
US Government Regulations and what that means for you
Solar Winds led to a series of reactions from the Federal Government. These regulations generally apply to federal contractors and government agencies. However, if history is any indicator, these requirements will in time extend to organizations that are considered part of national security infrastructure (i.e. large banks). From there it will expand to the financial industry as a whole, and, therefore, to those who supply software to these institutions. Even if your organization doesn’t fall into this category, these regulations are still good guidance. Additionally, most emerging frameworks and standards derive from these.
| Name of Publication | Date Published | Synopsis |
|---|---|---|
| White House Executive Order 14028 | 5/12/2021 | In reaction to the Solar Winds event, the White House issues Executive Order 14028. Section 4 directs the Department of Homeland Security and National Institute of Standards and Technology (NIST), among others, to develop standards and requirements for federal agencies and contractors. |
| NTIA “The Minimum Elements For a Software Bill of Materials (SBOM) |
6/12/2021 | The National Telecommunications and Information Administration (NTIA) and US Department of Commerce publish a document describing a Software Bill of Materials and defining a minimum required set of elements in an SBOM. |
| NIST 800-218 | 2/03/2022 | NIST issues publication 800-218 which describes a Secure Software Development Framework (SSDF). SSDF describes the need for an organization’s Software Development Life Cycle (SDLC) to include mechanisms for providing software release integrity and produce an SBOM, without necessarily saying how. |
| NIST 800-161 Rev 1 | 05/05/2022 | NIST issues publication 800-161 Rev 1 which describes a set of Supply Chain Risk Management (SCRM) practices. |
| OMB Memorandum M-22-18 | 9/14/2022 | The Office of Management and Budget (OMB) issued memorandum M-22-18 directing all federal agencies to comply with NIST’s 800-213. |
| NIST Guidance on EO 14028 (4c) and 4(d) | 5/2/2022 | NIST issues guidance that informs the acquisition, use, and maintenance of third-party software for all federal agencies. It specifically talks about SBOM requirements. |
| CISA - Securing Software Supply Chains, Recommended Practices for Developers | 08/2022 | The The Cybersecurity and Infrastructure Security Agency (CISA) publishes a compendium of suggested practices for developers, suppliers, and customer stakeholders to help ensure a more secure software supply chain. |
Frameworks to the rescue
Nobody can let a good crisis and new regulations go by without creating a new set of frameworks and standards. The table below summarizes the ones that are leading the charge in creating responses that are derived from the table above.
| Framework | Date | Organization |
|---|---|---|
| in-toto | March 10th, 2022 | Cloud Native Computing Foundation (CNCF) |
| in-toto is a framework that protects the software supply chain by collecting and verifying relevant data. It uses cryptography to capture what happened in the software supply chain and ensures that it happened according to a defined policy. | ||
| SCVS | June 26th, 2022 | Open Web Application Security Project (OWASP) |
| The Software Component Verification Standard (SCVS) is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain. It provides 3 increasingly robust levels of requirements that allow organizations to adopt the standard gradually. | ||
| S2C2F | November 16th, 2022 | Open Source Security Foundation (OpenSSF) |
| Originally developed by Microsoft, the Secure Supply Chain Consumption Framework (S2C2F) is a framework that is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain. It defines a set of 8 practices for securing the use of dependencies. | ||
| TACOS | April 12th, 2023 | Tidelift |
| The Trusted Attestation and Compliance for Open Source (TACOS) is a framework for assessing the development practices of open source projects against a set of secure development standards specified in the NIST SSDF. TACOS defines a machine-readable specification that can be used as a part of the overall self-attestation requirement to comply with the requirements and deadlines outlined in OMB memorandum M-22-18. | ||
| SLSA | April 19th, 2023 | Open Source Security Foundation (OpenSSF) |
| The Supply-chain Levels for Software Artifacts (SLSA) is a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. SLSA defines 4 increasingly rigorous levels to protect against specific integrity attacks. | ||
| CyclonDX | June 26, 2023 | Open Web Application Security Project (OWASP) |
| CyclonDX is a SBOM standard that provides advanced supply chain capabilities for cyber risk reduction. | ||
| SPDX v2.2 | May, 2020 | The Linux Foundation Project |
| SPDX is an open standard for communicating SBOM information, including provenance, license, security, and other related information. The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021 | ||
As the diagram demonstrates, these frameworks are working together to provide guidance and where appropriate, interoperability.
Now What?
Breathe.
Many of these standards and frameworks provide a graduated approach to improving your SDLC and achieving a SSSC. Start with a risk and compliance assessment. This should define what your security posture should be. You can then select the appropriate levels and applicable standards to create a roadmap for your organization.
It is also very important to understand that you are not going to just tool your way out of this problem. You will need to examine your SDLC processes to understand the most appropriate actions before looking at any additional tooling. Additionally, any program must include educating your staff on the risks and mitigations required to create your SSSC.
In our next blog in this series, we will examine what your responsibility is. We will look deeper at the techniques and approaches to securing your software supply chain. We will examine attestation requirements and we will provide a look at the technical aspects and details of an SBOM.
UPDATE: As an example of how quickly this field is evolving, a few days after we published this post OWASP released the BOM Maturity Model - a formalized structure for assessing BOM capabilities that supports OWASP SCVS.