The timelines may be aggressive and the requirements might be detailed and lengthy, but the Biden administration said the president’s latest cybersecurity executive order provides a “necessary shock to the system,” to help agencies tackle the fundamentals of securing their networks.
Securing the software applications agencies use was a primary focus of that EO, which President Joe Biden signed back in May.
The Biden administration last week issued new guidelines to agencies, giving them 60 days to identify 12 types of on-premise critical software and another 12 months to implement critical software protections from the National Institute of Standards and Technology.
“Over the next several months, we’re going to seek to improve and expand on these resources to really meet the specific requirements of the EO and really the needs of software developers and users,” Kevin Stine, the agency’s chief cybersecurity adviser, said Tuesday at a meeting of the president’s National Security Telecommunications Advisory Committee. “We know the timelines are aggressive, but I think they’re very achievable.”
Critical software, as recently defined by NIST, should have at least direct dependencies on one of several components with a few attributes, including one that performs a “function critical to trust.”
The language in the new cyber EO and in NIST’s new critical software definition is vague, Stine acknowledged.
“In the context of the EO, critical is based not as much on the context of use but more of these properties of a given piece of software that make it critical in most cases,” he said. “That’s a slightly different lens for us to look at this through and approach the definition, but also I’d say a challenge in shifting mindsets a bit on how organizations may view critical today.”
Agencies will implement the new critical software guidelines and other provisions in a phased manner, which Stine said will allow NIST and other agencies to collect feedback on the process from both government and industry, and review and refine along the way.
“As we learn through the practical implementation of the different provisions of the EO and the guidelines and other practices, we’re going to improve those foundational resources,” Stine said. “We’re going to produce better tools — we collectively as a community with heavy industry participation here — refine development methodologies in an iterative manner so we can continuously improve those.”
OMB has said the next phase of EO implementation will come as CISA updates the list of critical software and NIST releases new guidance to secure them.
To meet those requirements, software companies are worried they’ll have completely new compliance regimes to conform to, on top of the assurance schemes they already have.
“From NIST’s perspective we do not want to establish new or different compliance regimes, nor do we intend to run our own third-party or testing and conformance program,” he said. “It’s difficult to scale those types of programs in general, and it certainly would be with respect to… the software marketplace today. Companies are going to need to determine their own capabilities to conform to the different requirements and how that conformance can be expressed.
He said NIST is interested in gaining industry feedback on what kinds of artifacts companies might use — and notably, reuse — to attest to their compliance with these new and forthcoming requirements.
“An organization’s conformance activities for other similar programs should be used to support conformance evidence in this context as well, if it’s required,” Stine said. “We hope to minimize this by not running a testing program but rather allowing for self-attestation against the different requirements and specifications within the executive order and the guidance and guidelines that will be produced.
More broadly, soliciting industry feedback and fostering an environment where the public and private sectors are collaborating is a top priority for the White House and its new national cyber director.
“We have to figure out how we do we actually collaborate so that we achieve… that proposition of ‘you got to beat all of us to beat one of us.’ If we don’t find ways to collaborate we’re going to find that those seams are an advantage to our adversaries,” Chris Inglis, the new national cybersecurity director, said Thursday at a virtual national security summit produced by Government CIO.
Inglis’ office is just about a month old, and while it’s authorized, it doesn’t yet have appropriated funding.
The White House has generated roughly $250,000 in contingency funds for the new cyber office, which allows Inglis to hire a few more people between now and the end of the fiscal year.
“We’ll probably grow to 75 people or so, not because that’s simply the number that was specified in the statute, but looking at those functions we think that’s what it’s going to take,” Inglis said. “More importantly, we will enable, power and champion the work of hundreds of others, both in the private and the public sectors, such that that team of teams will be considerably more capable because it has the fabric within which each of the parts makes a greater difference.”