May 17 2023

Agencies Should Take These Steps to Ensure They’re Buying Secure Software

CISA’s “security-by-design and -default” principles might want to shift the burden onto software manufacturers, but there’s more the government can do.

The Cybersecurity and Infrastructure Security Agency’s “security-by-design and -default” principles ignore the fact that software manufacturers working with federal agencies and the military already design their solutions with security at the fore.

CISA, the FBI, NSA and six foreign cyber authorities that issued the guide on April 13 hailed it as an effort to shift “much of the burden” of cyber incidents away from agencies and onto software manufacturers. Yet, it’s not as if anyone doing business with the government is outsourcing coding to China.

If the guide’s intent is to start shifting cyber incident liability onto software companies, that’s a tough pill to swallow when software makers can simply choose to work exclusively with industry customers. Most software companies already take on the responsibility of cyber risk internally because there are national and business ramifications to a successful cyberattack on an agency customer.

Also concerning: If CISA uses the guide to introduce more rigorous product testing, the speed of software deployment would slow. Exhaustive procurement and security policies saw federal cyber lag years behind commercial, until as-a-service solutions came along, allowing agencies to use operating funds to implement capabilities more quickly.

The reality is that cyber incident liability will always rest with agencies and other end users, but there are steps they can take to ensure they’re buying the most secure software for their needs.

Click the banner below to get Insider access to exclusive security articles.

Work with Companies That Carry Multiple Software Product Lines

Software resellers that carry multiple product lines are incentivized to assist agencies, and provide a vendor-agnostic approach. Original equipment manufacturers, on the other hand, are inclined to tell agencies why their product is right and their competitors’ products are wrong.

In the same vein, small business partners and niche players tend to align themselves with specific OEMs such as Amazon Web Services, Microsoft or Splunk. When an agency turns to them with a security problem, those OEMs are always the answer — limiting flexibility.

Agencies need to start treating a lack of variety among software partners as a red flag. Resellers are more likely to offer frank feedback on the security of the software they offer, and agencies can apply their experience with previous federal customers. That’s only going to become more critical as cyberattacks evolve.

EXPLORE: Reduce supply chain cybersecurity risks with updated GSA standards.

Interagency Collaboration on Software Security Is Key

Only through collaboration can agencies understand what others are doing to ensure software security, as well as how successful others have been with different software packages. Unfortunately, that sort of collaboration doesn’t happen as frequently among civilian agencies as it does within the military.

Military branches are far more aware of what the others are doing with respect to software security, even if some of that collaboration is mandated. Part of that is because missions within the Department of Defense tend to overlap.

Civilian agencies, because they have more disparate missions, tend not to see as much value in sharing information on software best practices. The Department of Energy might not be as interested in what secure software the U.S. court system or U.S. Department of Agriculture is using.

LEARN MORE: Keep software supply chains secure with new federal guidance.

Look for Companies with Security Certifications

The International Organization for Standardization creates information security standards. ISO 27001, its formal certification for information security management systems, promotes a holistic approach to risk management and cyber resilience through the vetting of people, processes and tools.

A third-party ISO 27001 certification demonstrates that a company is committed and able to manage information securely and safely, affording it a competitive edge and its agency customers some peace of mind that the company actively works to reduce supply chain vulnerabilities.

Agencies can be confident that companies with such certifications have at least eliminated some vulnerabilities.

And while there’s currently no secure-by-design certification for OEMs to obtain, it’s fair for agencies to assume companies that are ISO 27001–certified would pursue one should it be made available. They’re clearly doing their due diligence.

Ignatiev/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT