As federal agencies and contractors come to grips with the burden of protecting their software supply chain, understanding who had a hand in the development of their software products has taken on increasing importance. It comes down to pedigree. Where did your software come from? Was it domestic or international? Who had a hand in developing it?
“For lack of a better term, company profiling, you know, is there foreign ownership? Are there concerns with how this company’s operating model is, when you get deeper than that? What are their software development practices? Is it within the United States? Is it offshore? If it’s offshore, what countries is software development being done under? And then I think you also have to take a look at software development practices, you can often use code from all over, but are you really checking that code and ensuring that it doesn’t have malicious hooks into it, and that it’s what you expect it to be?” said Bob Costello, Department of Homeland Security Chief Information Officer for the Cybersecurity and Infrastructure Security Agency in a recent interview with Federal Monthly Insights – Supply Chain Risk Management.
President Joe Biden released Executive Order (EO) 14028 on “Improving the Nation’s Cybersecurity.” in May of this year. It directed the National Institute of Standards and Technology to issue guidance “identifying practices that enhance the security of the software supply chain.” The EO also directed the Office of Management and Budget to require agencies to comply with the NIST guidelines when procuring software.
As agencies work towards compliance with the EO, they have to look at a number of issues. If their prime contractor has documented compliance, how about the subs down the line in the software development process?
“When you start having discussions about software development practices, are they following a good methodology? Do they have security kind of baked in throughout their development and process? I think those are things that we want to look at, because those are the things that we want to be doing on our site when we’re doing government development,” Costello said in an interview with Federal News Network’s Jason Miller.
Part of the process of providing evidence of software supply chain security is self-attestation. Any agency procuring software needs to have self-attestation from the software developers stating that the development followed NIST’s standards for secure procedures. According to NIST guidelines, attestation should focus more on ongoing practices that on specific pieces of software design.
Costello sees self-attestation more as a jumping off point for software supply chain security than as what will eventually become a mature security practice.
“I think we want to get to a better place than just self-attestation. But that won’t always be required or possible, you know, we should really be looking at to what is the risk? Oftentimes, we, I think it’s just people, we’re not good at, you know, gauging true, true risk on things. And it’s really hard on the government side, but in some cases, there could be data that is low risk, it’s exposed and we should consider that maybe those companies that are handling that don’t need quite the level of vetting that we may want for a company handling, or designing software for national security systems or dependent systems or others. So I think there could be varying levels based on what the product is doing.” Costello said.
As supply chain risk management matures, finding the root source of software needs to become part of the formula. Finding those sources creates a challenge for primary contractors who are supplying software products. Those contractors may be relying on one or more subcontractors to provide part of a software package. While the prime may have a good sense of the security of their product, tracking and ensuring that subcontractors have been equally rigorous may be more difficult.
“Oftentimes our contracts don’t have a stipulation that only the prime can do the work. We award a contract. Oftentimes, like I always tell my primes, well, I just view it all as a prime, I don’t care that it’s company XYZ. But there will have to be an expectation that they are doing due diligence on that,” Costello said.