The White House has previewed plans to implement commercial software security requirements called for in the Executive Order on Improving National Cybersecurity. A fact sheet released in October describes efforts to leverage federal procurement power to strengthen cybersecurity.
One of the key parts of the plan to put cybersecurity at the forefront of acquisitions is using a software bill of materials (SBOM), a machine-readable list of a software product’s components, to determine if the product is susceptible to cyber threats. It is useful for checking in real time what is going on. .
Some industry groups oppose legislation that would require software vendors to provide SBOMs to certify that their products are free of known flaws. But other experts and industry leaders say the time has come for SBOM to become standard practice.
For example, widespread exploitation of a vulnerability known as Log4Shell in the Apache Log4j software library posed a significant threat due to its ubiquitous open source code in commercial software. Vulnerabilities such as these raise concerns about the risks to software ecosystems around the world, prompting policy makers to act sooner or later.
“What Log4j is telling us is that we need to improve the security of open source software,” said Phil Stupak, director of federal cybersecurity in the Office of the Director of National Cyber, at an industry event in September. I’m here. “We have an obligation to do so.”
“SBOM is like a basic ‘building block’ that goes into a digital product,” says Jon Gator, co-founder of software-as-a-service platform RKVST. “Just like some people really want to know if their candy bars contain wheat or nuts, digital consumers need to know what’s in their property.”
Geater added that SBOM is the first step for companies to properly manage their risks. “If you wake up to a big news story like Log4Shell, you don’t have to wait for every single vendor to contact you individually, look at everything you have, and immediately see where Log4j is in your infrastructure. You can check it,” he said. .
“Sufficient Guidance” for SBOM
The federal government has several initiatives underway to implement software security standards. This includes driving the expansion and maturity of the Secure Software Development Framework (SSDF) at the National Institute of Standards and Technology, and stakeholder-led efforts at the Telecommunications and Information Administration. Improve the transparency of software components.
JC Herz, co-chair of the NTIA’s Software Transparency Standards and Formats Working Group and co-founder of the software supply chain intelligence platform Ion Channel, said: “The uncomfortable unanswered question is what are you going to do with the findings when it becomes clear that your vendor or contractor is not maintaining their products or deliverables? I guess.”
The latest guidance from the Office of Management and Budget offers advice to organizations struggling to create a complete SBOM. Start small with a certificate from your software provider that confirms safe development and shipping of your product.
“These characters are not and probably will never be standardized, but that doesn’t matter,” said Geater. “It is important to ensure that the evidence we rely on today is independently verifiable and cannot be altered, shredded, or deleted.”
Speeding up rule making
While the Federal Acquisition Regulatory Commission must follow a rule-making process that typically takes months to collect, analyze, and respond to public comment, the White House and federal agencies have the power to accelerate the implementation of new third-party software requirements. There are several options for said Soraya Correa, former Chief Procurement Officer for the Department of Homeland Security.
“They can make interim rules to go ahead with something quickly, and they can make FAR deviations to enforce the rules,” Correa told FCW. “That process could be a fast one, probably taking about four months.”
She added that procurement officials at the Department of Defense, NASA, and the General Services Administration will likely conduct analysis to determine the potential impact on the private sector before expediting the implementation process.
“We know the risks we face when making these procurements, so there is certainly pressure,” Correa said. “We need to get them done quickly, but we also need to protect the integrity of the data, the systems these solutions sit on, and the processes.”
A spokesperson for OMB told FCW that the FAR Council will consider actions necessary to implement standards for third-party software included in NIST’s SSDF.
OMB previously directed agencies to obtain self-certification from software providers outlining adherence to standardized development practices, FAR Council proposes rulemaking to implement standard self-certification forms These directives also provided NIST guidance on third-party software development.
“By calling for a standardized approach to safeguarding software development, [SSDF]Eric Baize, vice president of product and application security at Dell Technologies, told FCW:
Douglas Schmidt, an engineering professor at Vanderbilt University and a former member of the Air Force’s Scientific Advisory Board, said he supports the White House’s move to implement third-party software security requirements for federal agencies. He added that the Department of Defense’s Cybersecurity Maturity Model certification “defines a very comprehensive set of controls” that agencies can use to ensure software products meet standardized requirements. I got
However, SBOM and other security standards alone cannot mitigate cyber threats, he said. Automated tools that continuously assess software vulnerabilities also play an important role.
Do government agencies know what to do with SBOM?
BSA policy director Henry Young says SBOM helps organizations “understand the complete configuration of software for successful incident response and recovery,” but mandating such an inventory list is not an option. A generic implementation may not be ready for codification.
“We know that SBOM provides important information, but if the recipient of that data is not ready to absorb it and act on it, that information has no value at all,” said Young. increase. “Currently, the vendor is able to put together an SBOM, but without industry standardization, the process of turning the SBOM into the actions needed to make concrete cybersecurity improvements is still not ready to take place at scale. has not been done.”
Ross Nodurft, former head of OMB’s cyber team “SBOM can be part of a broader software supply chain risk management approach,” he told FCW, but “the focus is on SBOM. If you hit it, you risk losing sight of the forest for the trees,” he warned.
The White House announcement on the software acquisition comes at a time when we are ticking off a critical piece of the cybersecurity executive order. Government agencies will have until September 2023 to collect certifications from vendors to claim that their third-party software adheres to secure software development practices. Government agencies must secure critical software certifications by June 2023. NIST defines critical software as software that has direct or privileged access to a network or computing resource, or performs trust-critical functions.
