Increased Threat Leads to More Scrutiny of Software Components
The move comes at a time when federal agencies face a growing number of cybersecurity threats, and less than two years after the high-profile software supply chain compromise of SolarWinds was discovered in December 2020.
During the same month the SolarWinds compromise was discovered, the Government Accountability Office evaluated 23 federal agencies and found that none had fully implemented selected foundational practices for managing information and communication technology supply chain risks, also known as supply chain risk management.
By not fully implementing the foundational practices, the GAO reported, the agencies were at a greater risk of malicious actors exploiting supply chain vulnerabilities, which could lead to disruptions to mission operations, harm to individuals or theft of intellectual property.
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) is at work on a Software Bill of Materials (SBOM), described by the agency as “a nested inventory, a list of ingredients that make up software components.”
The agency will advance the work through community engagement, development and other means with a focus on scaling and operationalization, as well as tools, new technology and new use cases, according to CISA’s website.
As for the Biden administration’s mandate, experts say government and industry still need to reach a consensus on a supply chain maturity model that allows tech companies to definitively prove they’re in compliance with the mandated SSDF, FedScoop reports.
“Exactly which artifacts — like threat models, log entries, source code files and vulnerability scan reports — and relevant metadata agencies should require companies to present in support of their attestations they meet federal software requirements remains up for debate,” according to FedScoop.
Companies Want More Research Before Security Rules Are Finalized
In April, the Cybersecurity Coalition, representing numerous companies in the industry, including Google, Microsoft and Intel, sent comments on the guidelines to the federal government. Among them was a recommendation against being overly prescriptive in defining how federal agencies should obtain and retain attestations from companies until there is a better understanding on the most effective approach.
“We believe that additional research and pilot programs are necessary before SSDF attestations can be required of software producers or used effectively by agencies,” the Cybersecurity Coalition wrote. “A significant part of this research and piloting must result in the identification and implementation of standards for attestation format and commonly acceptable approaches for sharing.”
The White House had previously issued a statement that it was looking for feedback from companies and engaging with the private sector on the attestation piece of the mandate, with the understanding that vendor attestation of secure software development practices has significant implications for vendors and service providers working with the federal government.
The coalition noted in its feedback that any attestation will be tied to a specific version of software at a specific point in time, and that it will be incumbent upon the procuring federal agencies to recognize this and ensure records are kept up to date.
It also recommends that low-risk systems be allowed to self-attest, as “third-party assessments can be costly and time consuming, a problem that only gets worse as the rate of software updates increases, and in continuously updated cloud systems.”
The cost of third-party audits was the main reason the Defense Department abandoned its Cybersecurity Maturity Model Certification and moved to a pared-down CMMC 2.0 that allows for more self-certifications.
High-Risk Companies May Need More In-Depth Software Assessments
For systems with a higher risk, however, the coalition acknowledges that third-party assessments and potentially more detailed artifacts may be necessary, “but again point out that the more stringent the requirements, the more time and effort will be necessary to produce what is required.”
“We strongly recommend the federal government identify opportunities and mechanisms to pilot procurement requirements to ensure that all parties are able to adequately articulate what information is useful in achieving the desired goal,” the Cybersecurity Coalition writes in its final recommendation to policymakers.
“Too much ambiguity and unknowns will only serve to frustrate the adoption of procurement requirements, result in uneven and/or ineffectual outcomes, and put the long-term success of the effort in jeopardy.”