May 20 2022

Private Sector Seeks Clarity on Federal Software Security Compliance

Per a government mandate, agencies may only work with companies that meet a standard set of guidelines.

Part of President Joe Biden’s strategy to improve the country’s cybersecurity posture includes a plan for all federal agencies to ensure that private companies in the government’s software supply chain meet a standard set of guidelines intended to improve security and integrity.

Still, what exactly that executive order means for the private sector remains to be seen.

“The security of software used by the federal government is vital to the federal government’s ability to perform its critical functions,” notes Biden’s executive order, issued one year ago this month. 

“The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors,” the order continues. “There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.”  

Per the timeline set forth in the executive order, the National Institute of Standards and Technology (NIST) has issued the Secure Software Development Framework (SSDF), which agencies must follow. 

“Following the SSDF practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences,” according to NIST.

Click the banner to become an Insider.

Increased Threat Leads to More Scrutiny of Software Components

The move comes at a time when federal agencies face a growing number of cybersecurity threats, and less than two years after the high-profile software supply chain compromise of SolarWinds was discovered in December 2020.

During the same month the SolarWinds compromise was discovered, the Government Accountability Office evaluated 23 federal agencies and found that none had fully implemented selected foundational practices for managing information and communication technology supply chain risks, also known as supply chain risk management. 

By not fully implementing the foundational practices, the GAO reported, the agencies were at a greater risk of malicious actors exploiting supply chain vulnerabilities, which could lead to disruptions to mission operations, harm to individuals or theft of intellectual property.

Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) is at work on a Software Bill of Materials (SBOM), described by the agency as “a nested inventory, a list of ingredients that make up software components.” 

The agency will advance the work through community engagement, development and other means with a focus on scaling and operationalization, as well as tools, new technology and new use cases, according to CISA’s website.

As for the Biden administration’s mandate, experts say government and industry still need to reach a consensus on a supply chain maturity model that allows tech companies to definitively prove they’re in compliance with the mandated SSDF, FedScoop reports.

“Exactly which artifacts — like threat models, log entries, source code files and vulnerability scan reports — and relevant metadata agencies should require companies to present in support of their attestations they meet federal software requirements remains up for debate,” according to FedScoop. 

LEARN MORE: Software security is a key component of any zero-trust environment. 

Companies Want More Research Before Security Rules Are Finalized

In April, the Cybersecurity Coalition, representing numerous companies in the industry, including Google, Microsoft and Intel, sent comments on the guidelines to the federal government. Among them was a recommendation against being overly prescriptive in defining how federal agencies should obtain and retain attestations from companies until there is a better understanding on the most effective approach. 

“We believe that additional research and pilot programs are necessary before SSDF attestations can be required of software producers or used effectively by agencies,” the Cybersecurity Coalition wrote. “A significant part of this research and piloting must result in the identification and implementation of standards for attestation format and commonly acceptable approaches for sharing.”

The White House had previously issued a statement that it was looking for feedback from companies and engaging with the private sector on the attestation piece of the mandate, with the understanding that vendor attestation of secure software development practices has significant implications for vendors and service providers working with the federal government. 

The coalition noted in its feedback that any attestation will be tied to a specific version of software at a specific point in time, and that it will be incumbent upon the procuring federal agencies to recognize this and ensure records are kept up to date. 

It also recommends that low-risk systems be allowed to self-attest, as “third-party assessments can be costly and time consuming, a problem that only gets worse as the rate of software updates increases, and in continuously updated cloud systems.” 

The cost of third-party audits was the main reason the Defense Department abandoned its Cybersecurity Maturity Model Certification and moved to a pared-down CMMC 2.0 that allows for more self-certifications.

DIVE DEEPER: Find out more about the DOD's revamped CMMC.

High-Risk Companies May Need More In-Depth Software Assessments

For systems with a higher risk, however, the coalition acknowledges that third-party assessments and potentially more detailed artifacts may be necessary, “but again point out that the more stringent the requirements, the more time and effort will be necessary to produce what is required.”

“We strongly recommend the federal government identify opportunities and mechanisms to pilot procurement requirements to ensure that all parties are able to adequately articulate what information is useful in achieving the desired goal,” the Cybersecurity Coalition writes in its final recommendation to policymakers.

“Too much ambiguity and unknowns will only serve to frustrate the adoption of procurement requirements, result in uneven and/or ineffectual outcomes, and put the long-term success of the effort in jeopardy.”

gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT