Software supply chain security is all the rage these days, and for good reason. A steady increase in attacks over the past decade culminated in the “big one” (so far) in which the Russian SVR penetrated U.S. government networks, a cybersecurity company, and thousands of other targets via the IT company SolarWinds.

Unless you are a cybersecurity and policy nerd like myself, you might have missed the issuance of Office of Management and Budget (OMB) Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.”

I frequently note that about 90% (sometimes I say 95%, as I think the former figure is conservative) of all Common Vulnerabilities and Exposures (CVE) identified in the National Vulnerability Database (NVD) are not exploitable in any given configuration.

In this post I will break down NIST Special Publication (SP) 800-37, which has a title that rolls easily off the tongue: “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.” This is the second in a mini-series on federal government vulnerability management practices and recommendations; check out my first piece on the NIST Cybersecurity Framework as well. As with that writeup, I’ll focus this one on how SP 800-37 applies to vulnerability management in real-world situations.

Welcome to Deploying Securely, hosted on Mirror!