In recent articles, we’ve written extensively about software supply chain attacks, including:
- What they are and why they pose such a huge threat
- Why the U.S. is still vulnerable to them despite several regulatory changes
- Why current initiatives (including EO 14028) are unlikely to solve the problem
All of this leads to an obvious question: what should the U.S. do about supply chain attacks?
It’s Time to Regulate Technology Vendors
To adequately protect the U.S. economy, citizens, and critical infrastructure from software supply chain attacks, regulators should consider a legal mandate that requires technology vendors to implement:
- A higher standard of cybersecurity in the development environment and across the business.
- A robust risk assessment of their own supply chains to protect against similar threats.
These requirements should go beyond those laid out in EO 14028 and NIST SP 800-161. The following section outlines proposed requirements (Read more…)
