The move follows several recent cybersecurity incidents, such as the SolarWinds and Microsoft Exchange breaches and the Colonial Pipeline attack, which all highlight the increasing risks that both the public and private sectors face from nation-state actors and cybercriminals.
These incidents share commonalities, including insufficient cybersecurity defenses that left public and private sector entities vulnerable.
The Colonial Pipeline incident is a sobering reminder that our nation faces sophisticated cyber threats. Today, President Biden signed an executive order to chart a new course to improve the nation's cybersecurity and protect federal government networks.
One of the key pillars of the cybersecurity EO is Section 4, which focuses on improving software supply chain security.
Improve Software Supply Chain Security. The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market._**
Finally, it creates a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely. Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.
A software supply chain encompasses anything that goes into or affects an organization's software code -- from development, through continuous integration/continuous delivery (CI/CD), until production.
This EO will have ripple effects across the technology landscape, as the software supply chain is incredibly interconnected. With the EO issues, SaaS vendors are under pressure to comply with the new standards put in place.
Tasked with providing guidelines to enhance software supply chain security, the National Institute of Standards and Technology (NIST) has solicited input from the Federal Government, private sector, and academia to identify and develop new standards, tools, and best practices to comply with the cyber EO. These guidelines will include criteria that evaluate software security and the security practices of developers and suppliers.
To do this, SaaS providers working with the government (i.e. FedRAMP-certified) will need real-time visibility into their technology stack. Several resources are already available to help SaaS vendors navigate the new standards, but priorities should include the building and maintenance of a comprehensive inventory and implementing tools and practices to truly understand suppliers and the overall software supply chain.
How SaaS Vendors Can Ensure Compliance
There are a few ways in which SaaS vendors can work towards compliance, whether they have already begun these initiatives or have initiated new programs as a result of the EO.
The EO specifies the following:
Vendors are tasked with providing, when requested by a purchaser, artifacts of the execution of tools and processes, and making available information on completion of related actions, including a summary description of the risks assessed and mitigated.
By employing these types of automated tools, or comparable processes, SaaS vendors can maintain trusted source code supply chains, thereby ensuring the integrity of the code. Further, these types of tools can also check for known and potential vulnerabilities and remediate them, and should operate regularly, or at a minimum before product, version, or update release.
The EO also outlines the need to “maintain accurate and up-to-date data, the provenance of software code or components, and controls on internal and third-party products or services. This includes performing audits and enforcing these controls on a recurring basis.”
Organizations must provide a purchaser with a Software Bill of Materials (SBOM) for each product, either directly or by publishing it on a public website. This SBOM will include an inventory of software components used in creating the device or system. Established and well-maintained inventories enable organizations to attest to conformity with secure software development practices, which therefore ensures the integrity and provenance of the software used within any portion of its products.
It’s wonderful to see coordinated vulnerability disclosure (CVD) and Software Bill of Materials (SBOM) right next to each other. These are efforts the security community has been working on advancing for years that we know are effective in using transparency to foster security. pic.twitter.com/LWrthfXfCJ
Each of these standards requires a level of visibility into the software supply chain that many organizations may not yet have. This visibility needs to encompass the entire tech stack and will be crucial to ensuring supply chain security.
Private StackShare for Teams Can Help
There’s no denying it – visibility into security must be a priority from the top down. Section 2 of the EO centers on removing barriers to sharing threat information, encouraging government entities to share pertinent threat information across agencies.
As it states, “Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government.”
Private StackShare has the real-time visibility, collaboration, and integration capabilities you need to collaborate on technology decisions across your engineering teams. It helps you access the wealth of technical knowledge across your company and draw technology insights from your Git repos.
Learn how we can help your organization comply with the new cyber EO guidelines.
