SPONSORED BY RISK RECON, A MASTERCARD COMPANY

With software memo out, OMB moves into cyber EO implementation phase

The Office of Management and Budget outlined 17 initiatives over the next two years agencies will take to secure their software.

The focus of those 17 initiatives, however, is just on commercial software and not government developed applications.

Chris DeRusha, the federal chief information security officer, said OMB is starting with commercial-off-the-shelf (COTS) software and not agency-developed or government-off-the-shelf software (GOTS) as required by the May 2021 cyber executive order.

“This memo is focused on...

READ MORE

The Office of Management and Budget outlined 17 initiatives over the next two years agencies will take to secure their software.

The focus of those 17 initiatives, however, is just on commercial software and not government developed applications.

Chris DeRusha, the federal chief information security officer, said OMB is starting with commercial-off-the-shelf (COTS) software and not agency-developed or government-off-the-shelf software (GOTS) as required by the May 2021 cyber executive order.

“This memo is focused on an agency that purchases commercial third party software. That’s regardless of if they customize that software after the purchase. So that that’s all in play here,” DeRusha said on Ask the CIO. “We also do state explicitly in this memo that agencies are expected to be following these practices. We have and we will continue to do plenty to ensure that agencies are following secure development practices. That’s a core part of any good security program. It’s something that we definitely track at OMB and discuss a lot of this with the CISO Council.”

In the memo, OMB defines third-party commercial software to include firmware, operating systems, applications and application services such as those in the cloud, as well as products containing software.

“These requirements apply to agencies’ use of software developed after the effective date of this memorandum, as well as agencies’ use of existing software that is modified by major version changes (e.g., using a semantic versioning schema of Major.Minor.Patch, the software version number goes from 2.5 to 3.0) after the effective date of this memorandum,” the memo stated.

One of the first deadlines is for agencies by December to inventory their software, including a separate inventory for those applications deemed critical. OMB leaned on the National Institute of Standards and Technology’s definition of critical software from 2021.

DeRusha said he expects that effort to be a fairly easy lift for most large agencies, thanks to tools provided by the continuous diagnostics and mitigation (CDM) program from the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency.

Moving into next phase of cyber EO

OMB’s decision to start with commercial software is both about risk and reward. DeRusha said software must be the enabler of agency mission success. The use of commercial software especially in the cloud continues to grow at double-digit rates over the last decade.

The Alliance for Digital Innovation reported in 2019 that market research firm Deltek estimated that federal spending on commercial software between 2018 and 2023 will account for about 11% of more than $664 billion in total IT expenditures during that five-year period.

Of course, as more agencies moved to the cloud over the last two years, the security of those services have become more important.

The software was the fifth, and final, memo that the cyber EO directed OMB to issue.

DeRusha said now OMB is in implementation mode in the coming months.

“We’re working on getting good data and performance measurement metrics around the policies. You can expect moving forward to start to see public facing metrics, showing how well we’re doing based on everything that we set in place,” he said. “We had to do that first. Then we are definitely going to start ensuring that we’re telling the story with data. That’ll take a little time. But that’s coming.”

DeRusha said OMB also is working on new Federal Acquisition Regulation rules to meet the requirements under section two of the EO around sharing threat intelligence as well as section four, which is related to the software security memo.

“Those are going to be a big deal because that’s really about getting contract clauses right and solid across all federal government agencies. That’s a really big lift, but also a really, really important one that will lift everybody up,” he said. “There’s just a lot of work attached to all this, but we do feel good that we’ve gotten through five really important memos and really instantiating clear guidance and direction about our priorities and where we need to head so we’re excited about implementation phase, and we’re just staying busy and continuing the hard work.”

 

Related Stories

    Amelia Brust/Federal News Network

    White House releases post-SolarWinds federal software security requirements

    Read more

    Leaders cite progress under cyber EO, but lawmakers press for more amid persistent threats

    Read more

ASK THE CIO

THURSDAYS 10 A.M. & 2 P.M.

Weekly interviews with federal agency chief information officers about the latest directives, challenges and successes. Follow Jason on Twitter. Subscribe on Apple Podcasts or Podcast One.