The Biden administration’s first sprint under the cybersecurity executive order is underway. It starts by giving agencies 60 days to identify 12 types of critical software that they are using on-premise or are in the process of buying for on-premise use.
Once agencies identify those software installations, the Office of Management and Budget is giving them 12 months to implement the critical software protections outlined by the National Institute of Standards and Technology in July.
“The federal government’s ability to perform its critical functions depends upon the security of its software,” wrote Shalanda Young, acting OMB director, in a memo to agencies released today. “Much of that software is commercially developed through an often opaque process that may lack sufficient controls to prevent the creation and exploitation of significant application security vulnerabilities. As a result, there is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely in the manner intended. The federal government must identify and implement practices that enhance the security of the software supply chain and protect the use of software in agencies’ operational environments.”
OMB’s implementation guidance gives every agency deadlines and actions that need to happen to meet some of the goals of the EO.
“During the initial implementation phase, agencies should focus on standalone, on-premise software that performs security-critical functions or poses similar significant potential for harm if compromised,” Young wrote.
The software types agencies need to focus on are:
Identity, credential, and access management (ICAM);
Kent Landfield, the chief standards and technology policy strategist for McAfee Enterprise, said in an interview that none of these areas of focus are surprising, but that may not make it easy to meet both the 60-day and one-year deadlines.
“It’s a task. Unless you’re really good at asset management, and you’re really good at integrating procurement capabilities into your asset management environments. It’s going to be a task,” Landfield said. “There are a lot of places where software’s not purchased centrally, it’s purchased throughout the organization as such, they have to get a handle on that and understand what it is that is in process, as well as what is already either deployed or on the shelf.”
“I like the phased approach to this effort. What NIST put out sounds small, five objectives, and each one of them has three to five subcategory objectives. The reality is, this is a lot of work, there’s no question this will be a lot of work. If agencies have not been paying attention to this guidance in the past or been doing it when it was expedient, this is going to be a lot of work. So, from that perspective, doing this as a phased approach is probably a rather reasonable way to make some real progress,” he said. “My only question right now is really, in some of the timelines that they’ve specified, they have what seems to be a short turnaround on identifying agency critical software. They’re going to have to identify it and document it.”
It’s that step, identifying the software, where the challenge will come in.
Agencies have made progress knowing what’s on their network through the continuous diagnostics and mitigation (CDM) program from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.
OMB says the next phase of implementation will come as CISA updates the list of critical software and NIST releases new guidance to secure them.
The next phase may address anything from software that controls access to data to cloud and hybrid-cloud software and operational technology applications.
Landfield said it makes sense for OMB to start with on-premise environments because that is what agencies control and can affect change more quickly.
“I’m hoping that NIST doesn’t wait a year to issue new guidance so that it triggers a new phase. For example, six months down the road NIST issues guidance, that’s going to cause a trigger for the subsequent phase for cloud-based software or software controls access to data or those other types of areas where they’re going to have to address those as well, those subsequent phases may take a year to actually get done because they’re not so much the regular kind of network security issues they’ve been dealing with in the past,” he said.