CISA, NIST Release Guidance on Defending Against Supply Chain Attacks In light of recent supply chain intrusions, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Agency (CISA) and National Institute for Standards and Technology (NIST) have released new guidance on defending supply chain software, using the NIST framework to identify and mitigate risks. In addition to information about supply chain risks and common attack techniques, the resource helps guide users through identifying, assessing, and mitigating supply chain risks using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF). “Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain. This is because organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps,” the guidance says.