简化NIST SSDF网络安全任务的合规性

NIST SSDF Cybersecurity Tasks Global Electronics Contractor Leverages Wind River Security Servicesto Identify SDLC Gaps and Streamline the Path Toward Meeting SSDF Tasks CUTS COST OF MEETING SSDF MANDATES WHILEACCELERATING DEVELOPMENT PROJECTS Highlights An international defense electronicscompany with substantial U.S.business needed to identify,prioritize, and remediate gapsbetween its SDLC and the tasks ofthe SSDF so it could reliably meetthe cybersecurity requirementsof Section 4e of Executive Order14028, helping the companyimprove the nation’s security andpursue more business opportunitieswith full confidence. It’s no secret that meeting the cybersecurity standards of the U.S.government and federal entities can be a daunting challenge forcompanies that develop systems and software. But what is the secretto optimizing the software development lifecycle (SDLC) in order tomeet the tasks of the Secure Software Development Framework(SSDF) quickly, reliably, and at a lower cost? For one Wind River®customer — an international provider of advanced,intelligent electronics systems for defense, homeland security, aviation,medical instrumentation, and more — the solution wasWind RiverSecurity Services. Specifically, the company engaged with Wind River for aSecurityAssessmentandSSDF Gap Analysis. The service provided a rigorous,expert assessment of the company’s SDLC, identification of gaps inSSDF-related tasks that could impact self-attestation, and detailedrecommendations for remediating those gaps. Challenges •Enhance the SDLC to meetincreasingly stringent govern-ment cybersecurity requirements,defined by EO 14028.•Keep capital expenditure to aminimum as the company buildsout the systems necessary tomeet requirements.•Meet compliance requirementsreliably without overstaffing oroverburdening cybersecurity staff. These capabilities were extremely important to the customer and arealso highly relevant to many other companies because, as directed byOMB Memorandum M-22-18, organizations providing critical softwareto any U.S. government agency are required to complete and submit theself-attestation common form from the Cybersecurity and InfrastructureSecurity Agency (CISA) between mid-2022 and early 2023. As a longtime user ofVxWorks®andWind River Linux, the companyhad a history of success with Wind River and deep confidence in WindRiver expertise and assessment capabilities. Wind River Solutions •Security Services: SecurityAssessment and SSDFGap Analysis–Expert analysis of thefirm’s SDLC–Identification of gapsbetween SDLC and SSDF–Remediation guidance onidentified gaps–Collaboration with DevSecOpsteam to prioritize and strategizeon remediation efforts•Future Migration to Wind RiverStudio Developer–Multiple features andcapabilities to facilitateremediations recommendedin the SSDF gap analysis–Optimized for the customer’sexisting VxWorks andWind River Linux platforms The key recommendations focused on leveraging a centralized,automated DevSecOps pipeline, including necessary DevSecOps tasksand activities such as: •Building out a generic base pipeline leveraging infrastructure-as-codeand configuration-as-code automation, to allow a centralized team togenerate pipelines via automation as needed•Providing automated security gate capabilities in all pipelines•Making available and requiring the use of application security testingtools in all pipelines (e.g., SAST, SCA, and DAST where applicable)•Embedding security requirements into software configurationmanagement The analysis and recommendations gave the customer the ability toprioritize needed changes to the SDLC, quantify the staffing needsand costs associated with those changes, and implement them in astructured, cost-efficient way going forward. Furthermore, the features and capabilities of Wind River Studioaligned extremely well with the requirements of implementing therecommendations. For example, the company has the abilityto harness Pipeline Manager, workflow automation, digital feedbackloop, third-party tool integration, and more to executeon the recommendations. Outcomes •Identification of existingDevSecOps team capacity andcapability to efficiently align toNIST SSDF practices•Investment allocation insightsthat are based on tangible,objective data, helping tosecure resources for high-returnDevSecOps productivity•Staffing recommendations toobtain the right number of peoplewith the right mix of skills•Unlocked ability to pursue newbusiness opportunities thatrequire NIST SSDF compliance The net result:The company was able to quickly align its SDLC toaddress the stringent cybersecurity standards of the U.S. governmentand meet future self-attestation requirements at a lower cost, within areduced time frame, with a high degree of reliability and confidence. Learn more about the Wind River Security Assessment service: www.windriver.com/resource/professional-services-security-assessment-datasheet