Less talk, more action: High hopes for CISA's new C-SCRM office

CISA's C-SCRM turns a page on a busy year for federal software supply chain security directives and guidance. Will it move the needle?

Ericka Chickowski, Freelance writer.

The US Cybersecurity and Infrastructure Security Agency (CISA) is making moves in 2023 to put all of its recent policy and guidance work around software supply chain security into action. Earlier this month, the agency announced a risk management office that is meant to help operationalize a lot of the new and upcoming guidance from CISA and other federal agencies on cyber supply chain risk management (C-SCRM).

The office will be led by Shon Lyublanovits, formerly of the General Services Administration (GSA). The original Federal News Network report of C-SCRM came by way of a recent event featuring Lyublanovits, who says the office is still in early stages but wants to get CISA to do more than "thinking broadly" on the problem by making meaningful roadmaps for action and implementing them.

Details are still forthcoming as to how the office will operate, but early indications are that the C-SCRM office will not only help federal agencies put policies into practice, but also lead the charge in information sharing, education, and outreach to wider security industry and developer communities. Lyublanovits said at the event:

We want to make sure that we’re collectively looking at all of this because, again, it isn’t a government problem. It isn’t (an) industry problem. It is a nation problem.

Will CISA's C-SCRM office and initiative move the needle on software supply chain security? Here's analysis of the news from experts in the field.

See Special Report: NIST CSF 2.0 and C-SCRM for Software Risk Management

A year of directives and guidance

The creation of the C-SCRM office and Lyublanovits' appointment turns a page on what was a busy 2022 in the issuance of new federal directives and guidelines with regard to software security and cyber supply chains.

Some of the highlights included the release of:

NIST's finalized revision of the Secure Software Development Framework, which covers a lot of the longstanding best practices in secure software development, bolstering a lot of the guidance around tracking and monitoring software components and the software-based tools pipeline that builds applications
NIST's cybersecurity supply chain risk management guidelines for enterprises that offers a soup-to-nuts overview on building out a program for managing software and system supply chains.
A memo by the White House Office Management and Budget (OMB) prescribing federal agencies to comply with these pieces of NIST guidelines and particularly calling for self-attestation from their software suppliers through the use of software bills of materials, with deadlines for SBOMs hitting in September of 2023.
A three-part guide coordinated by CISA in its Enduring Security Framework (ESF) project that details best practices for securing the software supply chain that are geared for developers, for suppliers, and for customers.

See our interactive report: A timeline of federal guidance on software supply chain security

Among these, the OMB memo is likely to have some of the most immediate impact on private sector practices around software security, as the attestation requirements are likely to have a ripple effect of transparency for any organizations that do business with the federal government.

Jeff Williams, co-founder and CTO of Contrast Security, said companies that already have a decent app sec program in place can quickly create these attestations about what they are already doing. But there are a lot of companies that don’t do much to ensure security, and they should get moving right away to get their house in order before the one year deadline.

I think that the enforcement of these requirements is part of a broader trend towards security transparency for all software. I believe it is a fundamental human right that software users should know about the security of the software they trust with their finances, government, healthcare, social life, elections, and everything else that matters in their life.
Jeff Williams

For their part, the ESF guidelines had a hit-or-miss reaction from some industry players like Williams. He argued that the developers' guide was too sweeping while lacking the kind of resources that developers need to improve the state of the software security and the way they tap into the software supply chain.

I don’t think the 'guide for developers' is helpful at all. It’s a kitchen sink of so-called best practices and requirements from a variety of sources and organizations. The doc is absolutely not for developers. They’re security activities and would require a massive rethink for developers to perform. You can’t just shove security activities on developers — that’s 'shitting left' vs. shifting left and it doesn’t work.
Jeff Williams

More crucially, even the actionable content in the ESF guides lacked any kind of meaningful teeth for enforcement, so many industry insiders say the recommendations have only a so-so chance of being fully embraced in the private sector, said Ray Steen, chief strategy officer for MainSpring, a consultancy that does business with numerous federal agencies.

As of yet, ESF guidelines are just that: guidelines. The documents do not represent a change in regulation, and they carry no timeline for compliance. That being said, they could potentially influence ongoing cybersecurity initiatives such as OMB's zero-trust strategy which goes into effect by 2024. ESF guidance could be included in future iterations of CMMC or NIST 800-171 which would make it a pre-requisite for doing business with the federal government.
Ray Steen

See our full coverage of the Enduring Security Framework

2023: A chance to demonstrate action on software supply chain security

That gap between mandates and guidelines could potentially be where the C-SCRM office has the opportunity to spur movement in helping the private sector stakeholders move the needle on cyber supply chain risk.

Matt Rose, Field CISO for ReversingLabs, said he applauds CISA's creation of the C-SCRM organization "because clarity is a must when it comes to policies and standards for any technology initiative."

Currently there are a ton of statements and standards associated with software supply chain risk being created without a common voice. It is up to the interpretation of the individual, or organization, to figure out what is a must-have, and what is a 'nice to have'. I see the C-SCRM, in a perfect world, as the one voice for all things associated with supply chain risk.
Matt Rose

Abhay Bhargav, founder and CEO at AppSecEngineer, said that forming a new project management office can help solve key software supply chain security issues.

Having a dedicated office to focus on this issue provides resources, focus, and meaningful detailing to improve the progress of software supply chain security. This increases awareness, provides guidance and best practices, and facilitates collaboration between government agencies, industry, and other stakeholders.
Abhay Bhargav

In particular, Bhargav believes that the office could do a lot to proactively educate the right stakeholders, especially in concert with detailed standards. He says the more specific that CISA and its new office can be with standards and implementation guidance, the better these efforts will serve government and private-sector stakeholder.

Guidance needs to have specificity with reference to the industry and sector as well, Bhargav said. "Supply-Chain security for healthcare and devices is a completely different animal that needs to be dealt with differently."

Creating high-level guidance never works. Specific is terrific.
Abhay Bhargav

Will C-SCRM move the needle on supply chain security?

Nathaniel Cole, CISO for TreviPay and an cybersecurity advice columnist for advisory firm Network Assured, said CISA's track record on taking action to engage with private sector interests shows that this new office could be a game-changer for cyber supply chain risk management.

By providing everything from security recommendations or configurations on new and emerging technologies to providing opens source intelligence on vulnerabilities, CISA has a track record of helping to secure private industry over the years. "We can expect they will know the steps to take in helping businesses tackle supply chain security," Cole says.

Based on what CISA has provided over the years, we can expect a wealth of great tools and services coming from this new office in the years to come. These could drastically improve the intelligence and capabilities of organizations to better secure their software and manage supply chain risks.
Nathaniel Cole

Keep learning

Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: See RL's webinar for expert insights.
Get the white paper: Go Beyond the SBOM. Plus: See the webinar: Welcome CycloneDX xBOM.
Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our webinar for discussion about the findings.
Get up to speed on securing AI/ML with our white paper: AI Is the Supply Chain. Plus: See RL's research on nullifAI and replay our Webinar to learn how RL discovered the novel threat.
Learn how commercial software risk is under-addressed: Download the white paper — and see our related webinar for more insights.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security