CISA, NSA, and Global Partners Issue New Guide For Securing Software Supply Chains

Published on Sep 4, 2025
Joel Witts Written by Joel Witts
Laura Iannini Technical Review by Laura Iannini
CISA, NSA, and Global Partners Issue New Guide For Securing Software Supply Chains

CISA, the US cybersecurity security agency, has issued new advice aimed to increase transparency for software supply chains.

This guide provides advice for software vendors and operators on the importance of implementing Software Bill Of Materials (SBOM) to secure software supply chains and their components.

An SBOM is a record detailing the components and supply chain relationships used in building software. Often referred to as an “ingredients list,” SBOMs provide organizations with visibility into software dependencies.

This makes it easier to track vulnerabilities when they appear and helps teams to catch and fix potential risks more quickly.

Modern software increasingly relies on third-party integrations and open-source components, which means security can no longer be limited to the efforts of one team.

Just this week, a vulnerability found in Salesloft Drift, an integration with Salesforce, enabled a threat actor to access potentially hundreds of vendors’ Salesforce instances, a classic example of a “supply chain” vulnerability.

This new guidance was developed by CISA, the NSA (National Security Agency), and 19 international partners, including cybersecurity agencies from Australia, Canada, France, Germany, India, and aims to unify SBOM guidance into one set of best practices.

“The ever-evolving cyber threats facing government and industry underscore the critical importance of securing software supply chain and its components. Widespread adoption of SBOM is an indispensable milestone in advancing secure-by-design software, fortifying resilience, and measurably reducing risk and cost,” said Madhu Gottumukkala, Acting Director of CISA.

“This guide exemplifies and underscores the power of international collaboration to deliver tangible outcomes that strengthen security and build trust. Together, we are driving efforts to advance software supply chain security and drive unparalleled transparency, fundamentally improving decision-making in software creation and utilization.”

CISA encourages software producers, purchasers, and operators to review this new advice and integrate SBOM generation, analysis, and sharing into their security practices.

The long-term goal is to create a coordinated, global approach to SBOM that will reduce complexity, improve effectiveness, and support secure-by-design software development.

The full guidance is available here.

Explore More

700+ Companies Caught By Salesforce Breach – Including Security Giants Palo Alto & Zscaler

700+ Companies Caught By Salesforce Breach – Including Security Giants Palo Alto & Zscaler
Hundreds of technology vendors have been impacted by a widespread supply chain attack exploiting an integration between Salesforce and Salesloft Drift, an AI chatbot app. The attackers aimed to exfiltrate data from customer’s Salesforce instances, including credentials like AWS access keys, passwords, and Snowflake-related access tokens. Austin Larsen, a principal threat analyst at Google told Cybersecurity Dive...
Joel Witts Laura Iannini
Joel Witts, Laura Iannini Last updated on Apr 22, 2026
Read Now