Focus on EO Section 4: Enhancing software supply chain security

Years before the SolarWinds hack that endangered the systems of thousands of companies and government agencies, the RSA hack of 2011 shattered both public and private sector enterprises’ sense of security.

Since then, the government has spent an untold number of hours adopting many different approaches to cybersecurity. Section 4 in the cybersecurity executive order (EO) is, in many ways, the most prescriptive of the entire EO, tackling head-on how to get vendors to improve the security of their products.

“Overall, when you look at the EO, the most significant parts are aimed at trying to leverage the buying power [of the government] and driving some changes in the market for IT and associated cybersecurity,” said Michael Daniel, former special assistant to the president and cybersecurity coordinator, now the president and CEO of the Cyber Threat Alliance. “The other pieces are a continuation of a process that’s been going on for a very long time – the centralization of cybersecurity on the federal civilian side, and continuing to [have] fewer agencies in the business of cyber.”

Section 4 lays out numerous actions to be taken by the National Institute of Standards and Technology (NIST) in establishing criteria for securing the software supply chain. Examples of this include establishing guidelines, identifying best practices and setting standards for performance. For instance, it calls on software vendors to provide a software bill of materials (SBOM), defined by the National Telecommunications and Information Administration as a “nested inventory, a list of ingredients that make up software components,” including both commercial and open-source components.

“Having that prioritized is a recognition of [its] importance,” said Greg Touhill, director, CERT Division, Software Engineering Institute, Carnegie Mellon University and former federal chief information security officer during the Obama administration. “[We’ve been] seeing a lot of evidence that some folks are developing code and posting it where it has an unacceptable level of vulnerabilities.”

Because the internet of things (IoT) is becoming so common throughout American life – smart houses, smart cars, smart cities, i.e., just about everything labeled “smart” – NIST and the Federal Trade Commission are tasked with devising a consumer labeling program for the cybersecurity of software programs and IoT devices, and running one or more pilot programs to determine their effectiveness. NIST is tasked with determining whether there will be a recommended label or a tiered software security rating system.

“The executive order talks about having an Energy Star-type label,” Touhill said. “Ultimately, what we were trying to do when I was at DHS was work with third parties like [Underwriters Laboratories] for some construct where you could have an independent third party auditor to confirm the software was developed on certain security standards and meets certain maturity models … I like that they’re going to try a pilot, not the whole [market]. I like to have fly-offs to see what’s best.”

The Homeland Security Department, working with the Department of Defense, the Justice Department and the Office of Management and Budget, has a year to recommend to the Federal Acquisition Regulations (FAR) Council contract language requiring software suppliers for government agencies to comply with the standards laid out in Section 4. The hope is that these changes will ripple through the commercial software market, too.

“Software providers aren’t going to be like, ‘Well, I’ll do the secure development for the public sector, but not the private,’” said Daniel.

Possibly driving that effort even more, the EO has teeth: Software that doesn’t meet the new cybersecurity standards will be removed from multiple-award contracts, including the Federal Supply Schedules, governmentwide acquisition contracts and other vehicles across government.

Agencies do not escape sharp scrutiny, either – those who fail to meet specific requirements, such as establishing multi-factor authentication and encryption of data at rest and in transit, must request waivers. The waivers are not automatic, will be for a limited period of time and are conditioned on having plans to mitigate potential risks while shortcomings are addressed.

“There’s a lot of accountability in here. If you have to ask for a waiver, it goes to Anne Neuberger, the deputy assistant to the President – these are things that come into OMB and the National Security Council,” said Karen Evans, former federal CIO during the George W. Bush administration. “These are things that everybody should have been doing already – they’re in NIST publications.”

Table of relevant deadlines set in Section 4

Section 4 sets several deadlines for immediate action, with other deadlines following their completion.

Deadline         Action Required by                          Outcome

*This deadline is contingent upon a previous action; it is included because it is at the core of Section 4.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.