Supply Chain Council of European Union | Scceu.org
News

Protecting the U.S. from Software Supply Chain Attacks (Part 1)

In recent articles, we’ve written extensively about software supply chain attacks, including:

  • What they are and why they pose such a huge threat
  • Why the U.S. is still vulnerable to them despite several regulatory changes
  • Why current initiatives (including EO 14028) are unlikely to solve the problem

All of this leads to an obvious question: what should the U.S. do about supply chain attacks?

It’s Time to Regulate Technology Vendors

To adequately protect the U.S. economy, citizens, and critical infrastructure from software supply chain attacks, regulators should consider a legal mandate that requires technology vendors to implement:

  1. A higher standard of cybersecurity in the development environment and across the business.
  2. A robust risk assessment of their own supply chains to protect against similar threats.

These requirements should go beyond those laid out in EO 14028 and NIST SP 800-161. The following section outlines proposed requirements (Read more…)

Related posts

Japan’s defense equipment supply chain is in a predicament

scceu

Crutches are now the latest victim of the supply chain shortage

scceu

‘We’re still fighting last decade’s battle’ – Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain

scceu