A software supply chain attack occurs when an individual infiltrates a software vendor's network the code is passed along, or the attack is from a patch or hotfix.
'Attack can affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers,' said the report.
'Depending on the threat actor's intent and capability, this additional malware may allow the threat actor to conduct various malicious activities that may include performing data or financial theft, monitoring organisations or individuals, disabling networks or systems, or even causing physical harm or death,' said the report.
NIST recommends the following steps.
First, identify tube key mission or business processes and maintain an inventory of the organisation's current and future software licenses.
Next, research and document how each software licence is supported by its supplier. Understand how the software supports and relates to the key processes document. Lastly, document a plan to address the problem.
NIST also suggests eight key practices for establishing an SCRM approach for the software.
First, Integrate C-SCRM across the organisation, establish a formal C-SCRM programme, and manage critical components and suppliers.
Next, understand the organisation's supply chain, closely collaborate with key suppliers, including key suppliers in resilience and improvement activities.
Lastly, assess and monitor throughout the supplier relationship and plan for the full lifecycle.