In a continuing effort to bolster and secure the nation’s software supply chain, yesterday the Biden administration issued the 2023 National Cybersecurity Strategy. This plan focus’ on enhancing the country’s defenses against emerging threats, such as ransomware and supply chain attacks.
We highlighted the federal government’s focus on improving the U.S.’ digital defenses back in 2021 after high-profile cybersecurity events like the SolarWinds breach and the ransomware attack on the Colonial Pipeline. At the time, Biden issued an Executive Order (EO 14028) that included new security requirements for software vendors selling software to the U.S. government. It explicitly laid out the idea that in order to protect our nation from “malicious cyber actors” the Federal Government and private sector must work together to enhance the software supply chain.
Since then, in accordance with Section 4 of the EO, NIST (National Institute of Standards and Technology and part of the U.S. Department of Commerce) established new standards, tools, best practices, and other guidelines to enhance security, after which CISA (Cybersecurity & Infrastructure Security Agency) assumed the role of operationalizing these guidelines.
In September of 2022, a memo was issued by the Office of the President with cybersecurity guidelines from the OBM (Office of Management and Budget):
- The memo required Federal agencies to comply with NIST guidance over the next 24 months.
- Two key deadlines were also established:
- 270 days (June 11, 2023): agencies need to collect attestations for critical software
- 365 days (September 14, 2023): agencies need to collect attestations for all software
What You Need to Know
Organizations developing applications should pay close attention to the broader meaning of what is included in this most recently released strategy in order to prepare their organizations and software development teams in advance of widespread changes.
The strategy requires strong collaboration between the public and private sector, and is broken into five pillars:
- Pillar One: Defend Critical Infrastructure
- Pillar Two: Disrupt and Dismantle Threat Actors
- Pillar Three: Shape Market Forces to Drive Security and Resilience
- Pillar Four: Invest in a Resilient Future
- Pillar Five: Forge International Partnerships to Pursue Shared Goals
The U.S. National Cybersecurity Strategy could impact software suppliers in several ways:
- The strategy increases emphasis on the implementation of new regulations and standards for software suppliers. For example, software vendors may be required to adhere to specific security requirements, implement specific security measures, and undergo regular security audits to ensure their products are secure.
- The strategy places greater emphasis on secure software development practices. Software suppliers may need to implement additional security measures during the software development lifecycle to ensure their products are secure and free from vulnerabilities throughout. This could mean investing more resources in security testing, vulnerability assessments, and threat modeling.
- The strategy encourages software suppliers to enhance collaboration with government agencies to develop secure software solutions to ensure their products are not compromised. This could include working with the government to identify and address cybersecurity vulnerabilities in their products or partner with agencies to develop new cybersecurity solutions, stronger security controls for supplier onboarding, regular risk assessments, and regulatory adherence to security standards.
- Software suppliers will need to be more transparent about their security practices and vulnerability assessment. This could involve sharing more information with their customers about vulnerabilities, how they are being mitigated, and how they are implementing proactive measures to ensure greater security.
- The security testing cadence will have to align with your applications’ release cycle. Running security tests once a year is most likely inadequate if your release cycle is quarterly or monthly.
The 2021 EO specified certain liabilities relative to the Software Bill of Materials (SBOM) and evidence of regulatory compliance. It stated that any software provider that sells into the government must provide an SBOM. This most recent strategy double downs on SBOM requirements and transparency:
“We will continue to build Federal cohesion through focused action across the Federal Government. OMB, in coordination with CISA, will develop a plan of action to secure FCEB systems through collective operational defense, expanded availability of centralized shared services, and software supply chain risk mitigation. These efforts will build on prior programs and prioritize actions that advance a whole-of-government approach to defending FCEB information systems. The software supply chain risk mitigation objective, developed in coordination with NIST, will build on the implementation of EO 14028, ‘Improving the Nation’s Cybersecurity,’ including the Software Bill of Material (SBOM) efforts, NIST’s Secure Software Development Framework, and related efforts to improve open-source security.”
As one security firm’s CEO said, “If you are Pen Testing your App once per year and releasing 12X per year (status quo), you are about to have a product liability problem…”
It’s no doubt there is more to come related to strengthening security measures from the U.S. government. Other nations are already going down similar paths. We expect a trickledown effect to the private sector and industry groups as they, too, will enact requirements on users and suppliers of applications containing open source to create more rigorous SBOM strategies and provide more visibility into their software supply chain security efforts. Having said that, the National Cybersecurity Strategy represents a long-term vision and the impact to companies developing applications with open source software may not be immediate, but have more significant influence in the near future.
Regardless, preparation is key to meeting those requirements on day one and hit the ground running:
- Implement a continuous, automated Software Composition Analysis solution that enables your development team to identify and fix vulnerabilities early in the SDLC rather than later which creates negative software development disruption.
- Invest in the right technology to track all the components in your software, regardless of where in the supply chain they originated—both inside and out of your organization.
- Educate your teams. The top forty U.S. and top five international computer science programs do not include open source licensing and secure coding in their curriculum. Companies should provide their own ongoing education for software development teams.
- Develop a culture within your organization that emphasizes security and compliance. Create an Open Source Program Office (OSPO) to operationalize your open source strategy and deliver policies around open source adoption, use, support, and software development.
Revenera can help. Our combination of SBOM management in the Cloud combined with on-premises scan and analysis enables you to create an SBOM not just for the code under your control, but regardless of how it enters your applications. Know where all components exist in software applications and where they came from to effectively manage legal and security risk.