The White House issued new guidelines this week ordering federal agencies to create a comprehensive inventory of the software they use within 90 days.
In a letter To all heads of executive departments and agencies, White House Office of Management and Budget (OMB) Director Shalanda Young said a sweeping executive order on cybersecurity issued last May by President Joe Biden was directing the National Institute of Standards and Technology (NIST) to release guidance on how agencies can better protect government systems with more secure software.
Now that NIST has finished creating its guidelines, OMB wants all agencies to implement them for any third-party software used with an organization’s computer systems. The rules do not apply to software developed by the agencies themselves.
One of the key tenets of the NIST guidelines is that agencies require software producers to show that they have followed a “risk-based approach to secure software development”, and agencies are now prohibited from use software that does not comply with NIST guidelines. .
Software vendors will be required to send agencies a “self-attestation” letter about product security features, recent changes, and more. Vendors must also certify that they follow “secure development practices.”
In addition to the 90-day deadline to create an inventory of all software in use, agency CIOs have 120 days to develop a process for communicating new requirements to software vendors. Within 270 days, agencies must collect letters from vendors regarding “critical” software. Agencies should receive letters from vendors regarding all software – critical and otherwise – by next September.
The letter assigns an additional task to the CIOs of the agencies: they have six months to train the employees in order to validate what the software companies claim in their letters. Any extension of deadlines must be requested within 30 days of the deadline.
Chris DeRusha, Federal Director of Information Security and Deputy National Director of Cybersecurity, said it’s important for agencies to engage in this process because they deal with “everything from tax filings to veterans’ medical records.”
DeRusha specifically cited the SolarWinds scandal as one of the reasons the effort was paramount for agencies, noting that the 2020 incident saw several federal agencies and corporations compromised by malicious code that was added to SolarWinds software. .
The small change created a backdoor into the digital infrastructure of federal agencies and private sector companies.
“This incident was part of a series of significant cyber intrusions and software vulnerabilities over the past two years that threatened the delivery of government services to the public, as well as the integrity of vast amounts of personal information and data. privately run businesses,” DeRusha said.
He added that the goal of the effort is to ensure that “millions of lines of code that underpin the work of federal agencies are built with industry security standards in place.”
Young, the director of OMB, said the tasks are part of a larger effort to get agencies to consistently use NIST’s guidance when choosing which software to use.
Young also described a process in which vendor “self-attestation” letters can be supplemented or replaced with a third-party assessment provided by a federally certified organization or government agency.
The letter to the agencies adds that they can require a Software Bill of Materials (SBOM) — a list of ingredients of the parts that make up a software.
In recent months, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted a industry-wide push to make SBOMs a common part of any software release, in the hopes that this practice will make it easier to find potentially vulnerable features. Cybersecurity Experts and Lawmakers Say SBOMs Would Succeed Easier organizations to deal with issues such as the Log4j vulnerability discovered in December 2021, as this would help identify if they are at risk and how to mitigate the threat.
OMB works with CISA and General Services Administration to create a centralized repository for software attestations. CISA has also been given a series of tasks to complete over the next year, including creating some of the guidelines for agencies to follow in the future.
DeRusha explained that the guidelines released this week were created with input from the public and private sectors as well as academia. This will allow federal authorities to quickly identify security flaws when new vulnerabilities are discovered, he added.
“Not so long ago, the only real test of good software was whether it worked as advertised,” DeRusha said. “With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting American public data and protecting against adversaries. strangers.”
“Since a long time”
Rick McElroy, senior cybersecurity strategist for VMware, told The Record that while the timeline “seems aggressive,” all of the goals listed in the advisory are “meritable and long overdue.”
He added that this will have a major impact on any supplier of technology or software services to government agencies, noting that suppliers will now need to be prepared to meet the requirements outlined.
Also, as the government spends billions of dollars on software, the requirements may have a downstream effect – software developers may decide to offer these features to regular customers.
Immersive Labs’ Kev Breen explained that executives’ focus on getting new products to market quickly means cybersecurity isn’t always the top priority, potentially exposing companies to millions in lost revenue. and a damaged brand reputation.
Former Obama administration cybersecurity commissioner Tom Kellermann told The Record that software supply chains are now under siege thanks to a deluge of cybercriminals and spies specifically targeting development, integration and software delivery infrastructure.
“Given the sophistication of recent software supply chain cyberattacks, ensuring software integrity is paramount to protecting against systemic cyberattacks of federal systems,” he said.
DeRusha said the software changes are part of a broader effort by the Biden-Harris administration to modernize the agency’s cybersecurity practices, improve threat detection and response as well as “quickly investigate and recover from cyberattacks.” “.
“The guidance released today will help us build trust and transparency in the digital infrastructure that underpins our modern world and enable us to fulfill our commitment to continue to lead by example while protecting national and economic security. of our country,” he said.