The Information Technology Industry Council (ITI) is a global advocate for technology representing some of the world’s most-notable and innovative companies. ITI promotes public policies and industry standards that advance competition and innovation worldwide.
John Miller is ITI’s senior vice president of Policy, Trust, Data and Technology and General Counsel. If anyone knows what companies are doing in the realm of software supply chain security, it is Miller and the team at ITI.
Companies are facing this issue as a result of government policy, and Miller is in the thick of it representing, as he said, “… companies of all kinds across the ICT ecosystem … hardware, software federal contractors.”
Executive Order (EO) 14028 was issued to “Improve the Nation’s Cybersecurity.” Agencies must adopt zero-trust cybersecurity principles and adjust their network architectures. That was two years ago and some things are still unclear.
“You ask what advice we’re giving companies,” Miller said on Federal Monthly Insights – Securing the Supply Chain. “I think one of the primary things we’re doing is just trying to explain to them and help them [as best as we can] by making sense of what is really a pretty complex and evolving set of requirements.”
Miller points out the policy guidance and potential requirements are maturing in real time.
“The national cybersecurity strategy, which includes a software liability dimension, EO 14028, is still being implemented. Some would say, and I think we would agree at ITI, that the centerpiece of that was really Section 4, which dealt with supply chain security and software supply chain security,” he said to Tom Temin on Federal Drive with Tom Temin.
There is some concern, because of a lack of clarity on what the final mandated requirements will look like. Miller points to Office of Business Management (OMB) Memo 22-18 from September 2022, which is called: “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.”
“The memo sets out really what agencies are going to be required to do in this regard,” Miller said. “And the centerpiece of the memo is that it calls on a self-attestation form that is going to be required for contractors.”
The form has been delayed as Cybersecurity and Infrastructure Security Agency (CISA) and OMB work on it. So the level of worry about what these requirements will mean is not know right now.
“I think everyone’s waiting to see it when it comes out. It will be open for public comment, but it’s hard to gauge the level of concern, because for instance, contractors haven’t seen exactly what that will look like and what the agencies are going to require of them,” Miller said.
Along with much of the unknowns, at this point, is liability. The strategy is short on specifics in this regard as well.
“It says the administration is going to work with Congress to establish liability for software products and services, including minimum requirements. On the good news front, it does contemplate a Safe Harbor Framework, but it’s pretty thin on details.”
Now companies and contractors await the implementation roadmap, which Miller expects to be published in a few months.
“There are a lot of questions on that. And anytime there’s potential new liability for companies, there’s going to be some level of concern as to what that means.”