Focus on EO Section 4: Enhancing software supply chain security

Years before the SolarWinds hack that endangered the systems of thousands of companies and government agencies, the RSA hack of 2011 shattered both public and private sector enterprises’ sense of security.

Since then, the government has spent an untold number of hours adopting many different approaches to cybersecurity. Section 4 in the cybersecurity executive order (EO) is, in many ways, the most prescriptive of the entire EO, tackling head-on how to get vendors to improve the security of their products.

“Overall, when you look at the EO, the most significant parts are aimed at trying to leverage the buying power [of the government] and driving some changes in the market for IT and associated cybersecurity,” said Michael Daniel, former special assistant to the president and cybersecurity coordinator, now the president and CEO of the Cyber Threat Alliance. “The other pieces are a continuation of a process that’s been going on for a very long time – the centralization of cybersecurity on the federal civilian side, and continuing to [have] fewer agencies in the business of cyber.”

Section 4 lays out numerous actions to be taken by the National Institute of Standards and Technology (NIST) in establishing criteria for securing the software supply chain. Examples of this include establishing guidelines, identifying best practices and setting standards for performance. For instance, it calls on software vendors to provide a software bill of materials (SBOM), defined by the National Telecommunications and Information Administration as a “nested inventory, a list of ingredients that make up software components,” including both commercial and open-source components.

“Having that prioritized is a recognition of [its] importance,” said Greg Touhill, director, CERT Division, Software Engineering Institute, Carnegie Mellon University and former federal chief information security officer during the Obama administration. “[We’ve been] seeing a lot of evidence that some folks are developing code and posting it where it has an unacceptable level of vulnerabilities.”

Because the internet of things (IoT) is becoming so common throughout American life – smart houses, smart cars, smart cities, i.e., just about everything labeled “smart” – NIST and the Federal Trade Commission are tasked with devising a consumer labeling program for the cybersecurity of software programs and IoT devices, and running one or more pilot programs to determine their effectiveness. NIST is tasked with determining whether there will be a recommended label or a tiered software security rating system.

“The executive order talks about having an Energy Star-type label,” Touhill said. “Ultimately, what we were trying to do when I was at DHS was work with third parties like [Underwriters Laboratories] for some construct where you could have an independent third party auditor to confirm the software was developed on certain security standards and meets certain maturity models … I like that they’re going to try a pilot, not the whole [market]. I like to have fly-offs to see what’s best.”

The Homeland Security Department, working with the Department of Defense, the Justice Department and the Office of Management and Budget, has a year to recommend to the Federal Acquisition Regulations (FAR) Council contract language requiring software suppliers for government agencies to comply with the standards laid out in Section 4. The hope is that these changes will ripple through the commercial software market, too.

“Software providers aren’t going to be like, ‘Well, I’ll do the secure development for the public sector, but not the private,’” said Daniel.

Possibly driving that effort even more, the EO has teeth: Software that doesn’t meet the new cybersecurity standards will be removed from multiple-award contracts, including the Federal Supply Schedules, governmentwide acquisition contracts and other vehicles across government.

Agencies do not escape sharp scrutiny, either – those who fail to meet specific requirements, such as establishing multi-factor authentication and encryption of data at rest and in transit, must request waivers. The waivers are not automatic, will be for a limited period of time and are conditioned on having plans to mitigate potential risks while shortcomings are addressed.

“There’s a lot of accountability in here. If you have to ask for a waiver, it goes to Anne Neuberger, the deputy assistant to the President – these are things that come into OMB and the National Security Council,” said Karen Evans, former federal CIO during the George W. Bush administration. “These are things that everybody should have been doing already – they’re in NIST publications.”

Table of relevant deadlines set in Section 4

Section 4 sets several deadlines for immediate action, with other deadlines following their completion.

Deadline         Action Required by                          Outcome

30 days Secretary of Commerce/NIST Solicit input from government, private sector, academia and others to identify existing or develop new standards, tools and best practices for software supply chain security
180 days NIST director Publish preliminary guidelines on best practices, standards and tools
360 days NIST director Publish guidelines with procedures for updating
90 days* Secretary of Commerce/NIST

Other agencies chosen by NIST

*Based on preliminary best practices, guidance to secure software development environments, including:

– Establishing multi-factor, risk-based authentication and conditional access

– Employing encryption for data

– Monitoring operations and responding to alerts

– Employing automated tools or comparable processes to maintain trusted source code supply chains

– Providing purchasers a Software Bill of Materials (SBOM) for each product

60 days Secretary of Commerce

Assistant Secretary for Communications and Information

Administrator, National Telecommunications and Information Administration

Publish the minimum elements for a Software Bill of Materials
45 days Secretary of Commerce/NIST

Secretary of Defense/NSA

Secretary of DHS/CISA

OMB Director

Director, National Intelligence

Publish a definition of “critical software”
60 days Secretary of Commerce/NIST

Secretary of DHS/CISA

OMB director

Publish guidance on security measures for critical software
1 year Secretary of DHS

Secretary of Defense

Attorney General

OMB director/Administrator of Office of Electronic Government

Recommend to FAR Council contract language for software suppliers regarding compliance with this Section
60 days Secretary of Commerce/NIST

Secretary of Defense/NSA

Publish guidelines for minimum standards for vendors’ testing of their software source code
270 days Secretary of Commerce/NIST

Chair, Federal Trade Commission

Other agencies designated by NIST

Identify IoT cybersecurity criteria for a consumer labeling program
270 days Secretary of Commerce/NIST

Chair, FTC

Other agencies designated by NIST

Identify secure software development practices or criteria for a consumer software labeling program
1 year Director of NIST Review of pilot programs educating the public on IoT security capabilities
1 year Secretary of Commerce

Other agencies designated by Secretary of Commerce

Report to president on progress made under this section and outline additional steps needed to secure software supply chain

*This deadline is contingent upon a previous action; it is included because it is at the core of Section 4.

Related Stories

Comments

Sign up for breaking news alerts