NIST has revised its Security and Privacy Control Catalog to strengthen how organizations manage software updates and patches, part of a broader effort to reduce the window of exposure in the software supply chain.
The changes, originally published in 2020, cover access, authentication, incident response and supply chain risk management; the updated catalog now emphasizes the software update process and patch releases to mitigate cyber risk.
The three changes introduced are designed to lower the attack window and improve how software updates are developed, tested and deployed. They are listed as follows:
- Logging syntax: Defines an electronic format for recording security-related events to support better incident response, with data formats that facilitate automation and faster reconstruction of security incidents.
- Root cause analysis: Requires a formal review to determine the cause of an issue or failure with a software update, followed by an action plan and implementation.
- Design for cyber resiliency: Recommends building systems with the capacity to anticipate, withstand, respond to, and recover from attacks while maintaining critical functions.
Discussion updates accompanying the changes highlighted concerns around least-privilege access, flaw-remediation testing, customer agreements and notification, and coordinating updates across stakeholders.
The modifications come in response to a June executive order requiring an update to the Security and Privacy Control Catalog by Sept. 2, and were completed under a new commenting system that allowed proposed revisions and feedback in real time.
Experts say the revisions are intended to help organizations in both the public and private sectors understand their role in securing the software on their systems and to reduce the risk of data breaches through more effective patch management and software updates.