The National Security Agency (NSA) has issued the Cybersecurity Information Sheet (CSI) to provide network owners and operators with guidance for incorporating software bill of materials (SBOM) to help protect the cybersecurity supply chain.
The document is also intended to provide additional guidance for National Security Systems (NSS). Officials said the CSI was in response to an increase in cyberattacks to supply chains over the past five years, including targeted attacks of software supply chains.
Supply Chain Attack Defined
A supply chain attack targets a trusted third-party vendor such as a managed security service provider (MSSP) or managed service provider (MSP) that offers services or software vital to the supply chain. Software supply chain attacks inject malicious code into an application in order to infect users of an application. Software supply chains are particularly vulnerable because they typically involve off-the-shelf components.
According to a study by KPMG, 73% of organizations have experienced at least one significant disruption from a third-party in the last three years.
Supply chain cyber attacks of significance have grown in number and prominence of late. Most recently, discount retailer Dollar Tree was hit by a supply chain cyberattack that put some two million people’s personal information at risk after a digital break-in of third-party service provider Zeroed-In Technologies. The Fort Myers, Florida-based Zeroed-In is a data and technology consultancy that provides workforce analytical services to its clients.
There is still no word on who attacked Dollar Tree through Zeroed-In nor if a ransom demand or data extortion threat has been posted.
Dollar Tree, which operates roughly 16,000 eponymous and Family Dollar outlets in North America, was struck in a manner reminiscent of the massive 2020 Russian-backed cyber hit on SolarWinds that affected hundreds of businesses and nearly a dozen government agencies.
Supply Chain Software Best Practices from the NSA
According to the CSI, SBOM management should proceed in three steps:
- Examine and manage risk before acquiring software.
- Analyze vulnerabilities after deploying new software.
- Implement incident management to detect and respond to new software vulnerabilities during vital operations.
Rob Joyce, NSA Cybersecurity Director and Deputy National Manager for the National Security System (NSS) said that it's important for organizations to focus on these best practices as they evaluate software.
“As Software Bills of Materials become more integral to Cybersecurity Supply Chain Risk Management standards, best practices will become critical to ensuring efficiency and reliability of the software supply chain,” he said.
“Network owners and operators we work with count on NSA to advise them on shoring up their defenses," Joyce said. "These guidelines provide the information they need to select the appropriate tools to reduce an organization’s overall risk exposure.”
The CSI’s contents draw from NSA sources, analysis and partners, including the National Institute of Standards and Technology, the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, the National Telecommunications and Information Administration, and the larger cybersecurity community.