NCSC last February published a document about "defending the pipeline" and urged organizations and developers to automate software development with continuous integration and continuous delivery (CI/CD).
NCSC says in an announcement that the new guidance is aimed at helping medium and larger organizations "assess the cyber risks of working with suppliers and gain assurance that mitigations are in place."
"It follows a significant increase in cyberattacks resulting from vulnerabilities within supply chains in recent years, including some high-profile incidents such as the SolarWinds attack," it said.
Not many UK businesses are checking supplier-related security. According to the UK government's 2022 security breaches survey, over half of businesses large and small outsource IT and cybersecurity to third parties. Yet only 13% of UK businesses assessed risks posed by immediate suppliers. These respondents said cybersecurity was not an important factor in procurement.
"Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers," said Ian McCormack, NCSC deputy director for government cyber resilience.
"With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place."
The guidance is split into five stages, covering: why organizations should care about supply chain cybersecurity; identifying and protecting your 'crown jewels' in creating an approach; applying the approach to new suppliers; applying it to existing supplier contracts; and continuous improvement.