NRMC: Vulnerability Awareness, Partnership Essential to ICT Supply Chain Security

The Cybersecurity and Infrastructure Security Agency (CISA) is taking a multi-faceted approach to supply chain security, and chief among them is putting in place strong public-private partnerships to maintain supply chain resilience and maintaining high awareness about the sources of supply chain threats.

That was the word from Mara Winn, Associate Director of CISA’s National Risk Management Center (NRMC), who provided updates on the NRMC’s work at FCW’s NASA SEWP SCRM Hybrid Forum 2022 on May 24.

Having a common language on security then allows organizations to have an “apples-to-apples conversation with your vendors” that are especially useful because different groups have different tolerance for risk, she said.

Winn also emphasized the importance of agencies constantly looking for where threats are coming from, and understand the trustworthiness of their own supply chain. She highlighted that everyday risks to the supply chain are “more than just ships having trouble in ports.”

Source: NRMC: Vulnerability Awareness, Partnerships Essential to ICT Supply Chain Security – MeriTalk

Google Created ‘Open-Source Maintenance Crew’ to Help Secure Critical Projects


Source: The Hacker News
Published: May 13, 2022
 
Google has announced the creation of a new “Open Source Maintenance Crew” to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out Open Source Insights as a tool for analyzing packages and their dependency graphs, using it to determine “whether a vulnerability in a dependency might affect your code.” “With this information, developers can understand how their software is put together and the consequences to changes in their dependencies,” the company said. The development comes as security and trust in the open source software ecosystem has been increasingly thrown into question in the aftermath of a string of supply chain attacks designed to compromise developer workflows.

Source: Google Created ‘Open-Source Maintenance Crew’ to Help Secure Critical Projects

Managing Trustworthiness & Dependability of Systems Acquired Via Supply Chain

Presented by

Dr. Bill Curtis, Executive Director, CISQ | Robert Martin, Sr. Software and Supply Chain Assurance Principal Eng., MITRE

Register: Managing Trustworthiness & Dependability of Systems Acquired Via Supply Chain (brighttalk.com)

About this talk

Join the Consortium of Information and Software Quality (CISQ) on April 6th, 2022, 3:00pm CST – 4:00pm CST to learn how to manage the trustworthiness and dependability of systems acquired through your supply chain. Learning Objectives: – Learn how to leverage CISQ measures to reduce risk in your contacts & SLAs – How to certify software and its level of risk – How to manage the quality of the software you are receiving from a supply chain – Learn about the use of Software Bill of Materials (SBOM) in a software supply chain

NIST SP 800-160v1 Revision 1 Initial Public Draft out for Review

NIST is releasing the draft of a major revision to Special Publication (SP) 800-160 Volume 1, Engineering Trustworthy Secure Systems. This publication is intended to serve as a reference and educational resource for engineers and engineering specialties, architects, designers, and personnel involved in the development of trustworthy secure systems and system components. The guidance can be applied selectively by organizations, individuals, or engineering teams to improve the security and trustworthiness of systems and system components.

In particular, Draft SP 800-160 Volume 1, Revision 1 focuses on the following strategic objectives, which drove the majority of changes to the publication:

  • More strongly positioning Systems Security Engineering (SSE) as a sub-discipline of Systems Engineering (SE)
  • Emphasizing that the responsibility for engineering trustworthy secure systems is not limited to security specialties and that the achievement of security outcomes must properly align with SE outcomes
  • Aligning SSE practices with safety practices and other disciplines that deal with the loss of assets and the consequences of asset loss
  • Focusing on the assurance of the correctness and effectiveness of the system’s security capability to achieve authorized and intended behaviors and outcomes and control adverse effects and loss
  • More closely aligning systems security engineering work to international standards

NIST is interested in feedback on the specific changes made to the publication during this update, including the organization and structure of the publication, the presentation of the material, its ease of use, and the applicability of the technical content to current or planned systems engineering initiatives.

Submit comments using the comment template provided.

https://csrc.nist.gov/publications/detail/sp/800-160/vol-1-rev-1/draft