Last night, the Biden administration released an executive order on cybersecurity that includes new security requirements for software vendors selling software to the U.S. government. These requirements include security testing in the development process and a bill of materials for the open source libraries in use, so known vulnerabilities are disclosed and able to be tracked in the future. Without following these standards, companies will not be able to sell software to the federal government. There are also indications that these practices will make their way into the private sector as much of the software sold to the government is also sold to enterprises.
That said, we’re working on a series of blog posts and other content that will break this order down for you and track the development of the standards as they are developed by NIST over the course of the next 12 months. We’ve been advising and collaborating with the government (starting with testifying before Congress 23 years ago), and other standards bodies for years on this very topic, in addition to working with large enterprises in highly regulated industries like financial services and healthcare to help them comply with similar standards. We’ll be using our experience and expertise to share our best practices, lessons learned, and data gathered from helping over 2,500 customers secure their software.
What’s in the order?
In the wake of recent cyberattacks on government agencies through software from SolarWinds and Microsoft, this order aims to better protect government systems from a vulnerable software supply chain. Noting that “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced,” the order includes requirements for:
- The security of software eligible for purchase by the federal government
- Communication and collaboration on cybersecurity between the private sector and government agencies, and between government agencies
- Modernizing the federal government’s cybersecurity
In terms of improving communication and collaboration, initiatives in the order include the establishment of a new Cyber Unified Coordination Group, a standard playbook for responding to cybersecurity incidents on federal systems, and a Cyber Safety Review Board. This review board will operate like an NTSB for cyber, investigating attacks and sharing information on how and why they happened. There are also several new policies related to sharing of threat and incident information, such as a policies on logging cybersecurity incidents and on sharing threat information. The order specifies that software and SaaS providers with federal contracts must promptly report cybersecurity incidents or breaches.
To modernize the government’s cybersecurity, the order includes requirements surrounding the adoption of zero trust and the move to SaaS, IaaS, and PaaS.
What are the software security requirements?
The order states that “the development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.” In line with the NIST security requirements for security vendors, the executive order requires:
- Software security attestation, including using tools to check code for vulnerabilities regularly and producing artifacts related to that testing
- Development environment security attestation, including ensuring the security of the build environment
- Proof of integrity of open source code in use
- Proof of the security of legacy software, or a plan to secure it
- A software bill of materials for “critical software”
There is also a distinction between critical and noncritical software. Different requirements and timelines for each will be developed by NIST.
There are several new and noteworthy requirements in this order that will affect many software vendors, and also indicate the direction of future cybersecurity regulations, including:
- Assessing software security in development: The order’s focus is on security by design, or creating software securely from the start in the development phase, rather than only trying to react to incidents caused by vulnerabilities in production software.
- The inclusion of open source software: This is a notable acknowledgement that, although there is still a significant amount of legacy software in use, the majority of most modern software is not created from scratch, in-house.
- Security of the development process: The order makes a noteworthy expansion from assessing security in the development process to also security of the development process.
- IoT and software security for consumers: The mention of security rating and labeling for all software and IoT devices is significant. Recent legislation created requirements around the security of IoT devices purchased by the federal government, and this executive order suggests that this type of regulation may expand to the consumer market.
- Collaboration between private and public sectors, and between government agencies: This order has a significant emphasis on the need for a collaboration between both the public and private sectors, and between government agencies, to get cybersecurity right.
What does this order indicate about the future of cybersecurity?
The SolarWinds attack put the vulnerability of the software supply chain in the spotlight, and this order signifies that it’s going to stay there. Software is both critical and pervasive, and also very vulnerable – whether you build it or buy it. The US government won’t be the last entity demanding more security transparency from software vendors. It's a sign of what’s to come for any organization creating software in any industry.
Where do you start?
We are digging into all the details of the order now and monitoring development of standards at NIST; stay tuned for more content on the executive order and the standards that come from it, how you can comply, and how you can take the complexity out of the process.
In the meantime, in security, as in most aspects of life, it’s always wise to start with a clear goal and a map to get there. We’ve been helping large enterprises start and mature software security programs for 15 years, and now have a clear understanding of what “good” software security looks like, and what works, and what doesn’t, to get to that “good” place. We used that experience and data to develop our Veracode Verified program, which gives organizations a “road map” to effective software security and helps them prove their commitment to security to their prospects and customers. The three-tiered certification program gives organizations a place to start, a place to strive for, and proof of their progress and goals. In addition, the program encompasses many of the software security requirements in this order, including automated security testing in development and assessment of open source library security.