The Home of the Security Bloggers Network
Home » Security Bloggers Network »
The security and integrity of technology supply chains is an issue that directly affects virtually every modern organization. Every organization naturally relies on technology, and vulnerabilities or threats within technology supply chains can allow adversaries to compromise that technology before it is ever delivered to the customer.
Over the past year, the White House has taken repeated measures to make supply chain security a top priority for federal agencies, most notably with the release of Executive Order 14028, Improving the Nation’s Cybersecurity, in May of 2021. The order called for NIST to issue guidance regarding secure software development as well as supply chain security, and for the Office of Management and Budget (OMB to comply with those guidelines. NIST provided this guidance via SP 800-218, Secure Software Development Framework (SSDF) and the NIST Software Supply Chain Security Guidance. On September 14, 2022, the White House closed the loop by issuing memo M-22-18, which directs federal agencies to comply with the NIST guidance.
This is a very important and far-reaching development. Specifically, the memo defines responsibilities in two important areas.
The memorandum includes a comprehensive definition of software which explicitly includes firmware and operating systems in addition to applications, as follows.
The term “software” for purposes of this memorandum includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.
This is an important development. Firmware is critical software shipped with and operating ICT equipment. Examples include network OS operating network appliances, Linux-based OS inside remote management subsystems in each server, BIOS or EFI code inside PC and Mac motherboards, software code running inside SSDs, and ultimately any code operating mission critical equipment. It is the most privileged software code on each device, and often the most persistent, all making it a natural target for adversaries in the supply chain. The challenge for agencies is that a single device may have firmware from dozens of different suppliers from different countries of origin. This can make self-attestation not only cumbersome but also inherently less reliable. For example, it is possible for an application vendor to self-attest to their own development practices. Other than open source projects, the vendor is the main source of code.
The software code within physical equipment such as laptops, servers, networking or other specialized equipment, is a much different proposition. Every component may have its own supplier and its own firmware. Each component may have sub-suppliers and open source components that make the full lineage of the code even murkier. Supply chain shortages and pressures may force a vendor to replace one supplier with another. This makes it very hard for a vendor to provide a reliable attestation for all the code within a product.
Taken together, firmware and software embedded in devices is both highly critical and hard to attest to. This can easily increase the need for agencies to take more proactive measures, such as getting third-party assessments of code or using automated tools to verify its integrity.
Eclypsium provides a highly automated platform to meet these needs and ensure the integrity and posture of an agency’s supply chain. Agencies or their certified FedRAMP Third Party Assessor Organization (3PAO) can use simple Eclypsium scans in the following ways:
This gives agencies a far more direct and reliable way of verifying the security of their supply chain. Instead of trusting suppliers and a cascading network of attestations, security teams can easily verify what software and firmware is actually on each device and piece of equipment. This is not only a simpler approach but also more reliable and puts control in the hands of security teams.
To learn more, please reach out to the Eclypsium team at [email protected].
*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Eclypsium. Read the original post at: https://eclypsium.com/2022/09/15/what-the-white-house-memo-on-supply-chain-security-means-for-you/
Step 1 of 4
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…