The Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) jointly published a new resource as part of their ongoing efforts to promote awareness of, and help organizations defend against, supply chain risks. The publication, Defending Against Software Supply Chain Attacks, provides recommendations for software customers and vendors as well as key steps for prevention, mitigation and resilience of software supply chain attacks.

Software supply chain attacks occur when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. A software supply chain attack can occur at any phase of the supply chain, including design, development and production, distribution, acquisition and deployment, maintenance, and disposal. The risk is significant because virtually every organization relies on multiple external software vendors to provide services and products to manage the organization’s business operations (e.g., financial, human resources, data analytics, logistics, manufacturing, healthcare, and information technology software and code). Given the prevalence of supply chain cyber attacks, with the well-publicized compromise of Solar Winds and its widespread impact being the most recent example, organizations should take heed of the critically important and practical guidance for protecting their software supply chains contained in the resource.

We have previously written about supply chain risk applicable to Internet of Things (IoT) devices, including recent legislative initiatives to develop standards for government contractors and systems. In this context, the NIST cautions specifically about malicious or vulnerable software that can make its way into information and communications technology (ICT) products and services through the retailers, distributors, vendors, and suppliers that participate in their sale, delivery, and production.

The resource highlights three common, and not mutually exclusive, software supply chain attack techniques:

  • Hijacking Updates: where a malicious actor inserts malware into a routine software update by infiltrating a vendor’s network.
  • Undermining Codesigning: where a malicious actor inserts malicious code into an update by impersonating a trusted vendor.
  • Compromising Open-Source Code: where a malicious actor inserts code into a publicly accessible “open-source” code library, which may then be unintentionally incorporated by software developers into products sold to consumer organizations. Recent vulnerabilities found in publicly available DNS code highlights this method of attack.

Organizations are vulnerable to software supply chain attacks through common products such as, antivirus, IT management and remote access software, all of which typically require frequent communication with the software vendor for updates. For example, the December 2020 SolarWinds hack involved a software supply chain attack on an IT management tool, SolarWinds’ Orion platform, in which a foreign threat actor inserted a “backdoor” into routine software updates, which allowed the threat actor to gain access to numerous government and private sector networks.  Once a malicious actor has gained access to an organization’s network through a software supply chain attack, follow-on actions can include data or financial theft, eavesdropping on sensitive communications and business plans, and disabling networks or systems.

In Defending Against Software Supply Chain Attacks, the NIST provides recommendations to organizations acquiring software or other ICT products and services. To start, the NIST recommends establishing a formal, organization-wide cyber supply chain risk management (C-SCRM) program to ensure that supply chain risk receives attention across the organization, including from executives and managers within operations and personnel across supporting roles. An effective supply chain risk management program can mitigate risk through, among other things, establishing security requirements or controls for software and ICT product suppliers, assessing supplier certifications and component inventory, and ensuring that vendors enforce supply chain security requirements, including through contracts and other safeguards.

In addition to preventative C-SCRM programs, the NIST recommends that organizations develop and implement a vulnerability management program to scan for, identify, triage, and mitigate existing software vulnerabilities. An appropriate vulnerability management program enables an organization to conduct security impact analyses, implement manufacturer-provided guidelines to harden software, operating systems, and firmware, and maintain information system component inventory.

The NIST also recommends that organizations use resilience measures where threat actors have successfully exploited vulnerable software. These include pre-identifying alternative software suppliers, and identifying and establishing failover processes in the event of a compromise.

Organizations subject to regulatory standards to protect personal, health and other sensitive information (e.g., Gramm-Leach Bliley, HIPAA, NY SHIELD Act, California Civil Code §1781.5, Massachusetts data protection regulation, Illinois Personal Information Protection Act and Biometric Information Protection Act) are already required to use reasonable safeguards to secure protected information in their supply chains. It is critical, however, that all organizations plan for the cybersecurity of their software and ICT products and services and take reasonable steps to ensure that C-SCRM procedures are in place, and that vulnerabilities are addressed in a timely manner consistent with risk.

Defending Against Software Supply Chain Attacks provides helpful guidance for organizations in taking steps to secure their systems against software supply chain attacks that can compromise protected information. These measures include:

  • Developing a written program to address software supply chain risk, including as required under applicable data protection statutes and regulations.
  • Inventorying organizational reliance on external software and code across all operational departments.
  • Assessing risk from these vendors and adopting appropriate contractual and other safeguards.
  • Coordinating efforts across management, IT, personnel, compliance, product development and operational departments.
  • Monitoring the threats and vulnerabilities to the software supply chain, including through technical measures and threat analysis, on an ongoing basis.

EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and develop information security programs, manage supply chain risk and identify recognized security practices that may bolster practical security and improve compliance defensibility. Any questions may be directed to the authors or another member of EBG’s Privacy, Cybersecurity, and Data Asset Management GroupBrian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Alexander Franchilli is an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.