National Institute of
Standards and Technology
NIST Seeking Position Papers for Guidelines, Standards to Improve Software Supply Chain Security
The National Institute of Standards and Technology has announced a virtual workshop that seeks to improve the security of the software supply chain and fulfill President Joe Biden’s executive order on enhancing the federal government’s cybersecurity.
The EO, which was issued on May 12, directs the secretary of commerce to consult with federal agencies, academia, the private sector and other stakeholders regarding standards, tools, best practices and other guidelines to improve the software supply chain’s security.
The workshop is scheduled for June 2 to 3. One of its goals is to share plans aimed at developing software-related standards and guidelines required under the May 12 EO, the NIST said Monday.
The workshop will also facilitate discussion about the approach and content that the national institute must consider when developing the guidelines and standards.
Once ready, federal agencies will use the guidelines and standards as they make procurement decisions on software products and services.
The NIST is seeking position papers for the workshop. The agency laid out five areas that the position papers must address, including criteria for designation critical software.
The NIST requires the submissions to have functional criteria such as the level of privilege or access required to function, integration, dependencies, direct access to networking and computing resources and potential for harm if compromised.
The papers must also indicate an initial list of secure software development lifecycle standards, best practices and other guidelines that support the development of software for use by the government. The list must include criteria and the necessary information for attestation of conformity by developers and suppliers, the NIST noted.
The focus areas also include guidelines on the required security measures that should be applied to the government’s use of critical software.
All areas tackle the scope and assignments specified in Biden’s EO.
According to the NIST, the topics and speakers selected for the June workshop will be primarily based on the position papers, which have to be submitted no later than May 26.
The NIST also noted that the papers must specify which of the areas are being addressed and should only be two pages long.
Category: Cybersecurity