FORT MEADE, Md. – The National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA), and industry partners have released a cybersecurity technical report (CTR), “Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption.” The guidance in this release aids software developers, suppliers, and customer stakeholders in ensuring the integrity and security of software via contractual agreements, software releases and updates, notifications, and mitigations of vulnerabilities.
The report was developed by the Enduring Security Framework (ESF) Software Supply Chain Working Group, an NSA, ODNI, and CISA-led a public-private cross-sector group, to provide details on recommended practices as a basis for describing, assessing, and measuring security practices relative to the software lifecycle. It builds on the “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” paper released by the Office of Management and Budget (OMB).