Adrian Johnson
The Network Resilience Coalition (NRC) has issued recommendations for better network and software security to reduce vulnerabilities. The NRC, comprised of companies such as AT&T, Cisco, Intel, Palo Alto Networks, and Verizon, is calling on all IT vendors to improve the cybersecurity of their products by addressing software development and lifecycle management. The group recommends using NIST’s Secure Software Development Framework (SSDF) and supporting OpenEoX, an effort to standardize risk identification and end-of-life details in a machine-readable format. The recommendations align with the Biden Administration’s executive order on modernizing cybersecurity standards and the Cybersecurity and Infrastructure Security Agency’s (CISA) Security-by-Design and Default guidance. The NRC’s recommendations come as nation-state threat actors increasingly target critical infrastructure.
The NRC’s recommendations aim to improve network security infrastructure by reducing vulnerabilities created by outdated and improperly configured software and hardware. They align with the Biden Administration’s executive order on modernizing cybersecurity standards, calling for improved software supply chain security, and with CISA’s Security-by-Design and Default guidance. NRC members include AT&T, Cisco, Intel, Palo Alto Networks, and Verizon.
Key recommendations from the NRC include:
- Mapping software development methodologies with NIST’s Secure Software Development Framework (SSDF) and detailing how long support and patches will be released.
- Releasing security patches separately from feature updates.
- Supporting OpenEoX to standardize risk identification and end-of-life details in a machine-readable format.
The formation of the NRC and the release of its whitepaper has been described as a surprising but welcome development by CISA. The recommendations are aimed at advancing the cybersecurity of the product ecosystem and have the backing of top US government cybersecurity leaders.
The NRC recommends that all IT vendors adopt the best practices outlined in their whitepaper to improve network security infrastructure and better protect critical infrastructure from attacks by nation-state threat actors. The recommendations align with government initiatives to modernize cybersecurity standards, improve software supply chain security, and promote Security-by-Design and Default frameworks.
Cisco’s chief trust officer, Matt Fussa, emphasized the need for stakeholders to adopt the recommendations with a sense of urgency, as threat actors continue to actively seek opportunities to exploit vulnerable networks. He also predicted that many of the suggestions in the NRC’s whitepaper would eventually become legal requirements in Europe and the US.
While the whitepaper has received endorsement from CISA and ONCD, some experts have questioned whether it offers new information or if stakeholders would be better off reading NIST’s SSDF directly. Nevertheless, the whitepaper highlights the need for stakeholders to embrace secure-by-design processes and implement recommended end-of-life models to mitigate potential requirements and liabilities in the future.
Overall, the NRC’s recommendations aim to provide a framework for IT vendors to improve network security infrastructure and reduce vulnerabilities by addressing software development and lifecycle management. By adopting the recommendations, vendors can better align with modernized cybersecurity standards and protect critical infrastructure from cyberattacks.
