Reed Smith Client Alerts

NIST has published guidance to the 2021 Executive Order on “Improving the Nation’s Cybersecurity.” The guidance seeks to assist federal agencies and their practices for software supply chain security and the procurement of software. Although the guidance was drafted to assist federal agencies, it applies to private businesses and their respective software supply chains and cybersecurity practices.

Introduction and overview of guidance 

Executive Order (EO) 14028 on “Improving the Nation’s Cybersecurity,” issued on May 12, 2021, directed the National Institute of Standards and Technology (NIST) to publish guidance on practices for software supply chain security. More details on EO 14028 can be found at reedsmith.com. Following this directive, NIST published guidance on February 4, 2022 to assist federal agencies in determining what information to request from software producers regarding their secure software development practices. The procurement of software includes firmware, operating systems, applications, application services (e.g., cloud-based software), and products containing software. Additionally, the guidance has provisions outlining how to ensure and verify that the software has the appropriate lifecycle management and security and how to establish these safeguards during procurement.

Although NIST drafted the guidance to assist federal agencies, it also applies to private businesses that sell or resell software products to federal agencies, and can be used by private businesses in negotiating software contracts and as part of a programmatic approach to information security.

Global increase in cybersecurity risks

Globally and across industries, businesses are experiencing an increase in cybersecurity threats. Indications are that cybercrimes of all types are on the rise, with ransomware demands rising and incidents being more damaging to systems than in the past. The ongoing conflict between Russia and Ukraine has highlighted the rising risks associated with cybersecurity events, as bad actors take advantage of the turmoil and seek to interrupt the economies and operations of the countries. There is heightened risk for entities conducting business in Russia or Ukraine, and for those nations and private entities that have imposed sanctions. Potential significant targets include financial services and utilities.

Reliance on software vendors and third party service providers without proper information security controls in place can increase the risk of a cybersecurity event in your organization, and both procurers and suppliers should be aware of the risks presented by bad actors.   

The NotPetya and SolarWinds incidents present particularly notable examples of the cybersecurity risks that may arise in the software supply chain. NotPetya, a global malware attack in 2017 believed to have been perpetrated by Russian government hackers, initially targeted Ukrainian companies. The attack was propagated when malicious code was inserted into a routine update to Ukraine tax preparation software but caused collateral damage to entities around the world. Similarly, the SolarWinds hack, perpetrated by a group of hackers who are also believed to be Russian, added malicious code to a software system that was pushed out to the companies’ customers through a normal update protocol. The code in the SolarWinds update created a backdoor that allowed hackers to access the affected systems and perpetrate the largest security incident in history.