WASHINGTON — Today, global tech trade association ITI emphasized the need for continuous review of software supply chain standards and best practices given the ever-evolving nature of risks and vulnerabilities as the Biden Administration initiates implementation of its Executive Order on Improving the Nation’s Cybersecurity. In comments submitted to the National Institute of Standards and Technology (NIST) specific to Section 4 of the Executive Order, ITI highlights relevant international standards that should be leveraged in NIST’s implementation work, calls for a risk-based approach when determining the definition of “critical software,” and expresses willingness to work closely with NIST partners to regularly review and revise guidelines as appropriate for the rapidly changing technology environment.

The recent Executive Order delegates NIST to consult with stakeholders to identify standards, tools, best practices, and other guidelines to enhance software supply chain security. ITI welcomed the Executive Order earlier this month.

“We appreciate the opportunity to consult with NIST to help modernize and advance software supply chain security efforts, as part of the broader focus of President Biden’s recent cybersecurity Executive Order on enhancing public-private collaboration on cyber and supply chain security,” said Alexa Lee, Senior Manager for Policy at ITI. “NIST is well positioned to execute this work and has a long history of consistent engagement with industry. ITI stands ready to work with NIST to leverage our respective areas of expertise on current and developing technical standards and best practices relevant to software supply chain security. We also welcome the opportunity to participate in its planned June 2-3 workshop to review and discuss industry feedback.”

In the comments, ITI recommends that:

  • NIST leverage existing international standards and frameworks, and that proposed guidelines, best practices, or standards adopted pursuant to the Executive Order be technology-agnostic and focus on risk-based practices, procedures and architecture guidelines for secure development and account for the risk levels associated with software components.
  • The definition of “critical software” should follow a risk-based approach and focus narrowly on the purpose or use of the software, and the potential impact to the organization if the software is compromised; and
  • Companies should be afforded latitude to determine which mix of practices mapped to standards is best based on their business models, risk profiles, and other factors related to the secure development standards that they have honed over many years.

Read ITI’s full comments here.

Related [Cybersecurity, Supply Chain]