Subscribe to our newsletter.
Stay connected
The Office of Management and Budget is preparing to publish new needs related to the software chain of origin and cybersecurity, according to a senior federal cybersecurity official.
While discussing long-term priorities for federal cybersecurity at a Nextgov event on Thursday, Steven Hernandez, head of data security at the Ministry of Education and chairman of the Federal CISO Council, said a new mandate on the software source chain was coming.
“I’d be surprised if in the coming weeks we hear something from [the Office of Management and Budget] about what they need to do in the software space, in terms of the next step and building what [the National Institute of Standards and Technology] is getting going,” he said.
Pressed for more details, Hernandez said lawmakers are running to codify the efforts of NIST and other government pockets focused on cybersecurity, such as the Infrastructure Security and Cybersecurity Agency, or CISA, so that agencies perceive where software used in government networks comes from and retain vendors. responsible for maintaining security in this code.
“We’re going to see a lot more discussions about the software,” Hernandez said. “NIST has done a fantastic job in releasing the first edition of the secure software progression framework and I think the next step will be that agencies are now going to start operating against that and say, ‘Hey, vendors, it’s critical software. We want you to let us know how you meet the requirements of the secure software development framework.
The agencies already have the mandate through a May 2021 executive decree to adhere to the framework, an upcoming policy decree would possibly give more direction and strength to this requirement. OMB officials have said in the past that those rules deserve to involve whether providers deserve to be authorized to provide the data under self-certification or be required to submit it through external auditors, as with other systems such as the Defense Ministry’s Cybersecurity Maturity Certification Model. o CMMC, and the General Services Administration’s federal Risk Authorization Management Program, or FedRAMP.
Hernandez also referred to NIST Special Publication 800-161, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” which sets forth the criteria for ensuring software security in the supply chain, in addition to maintaining inventories on software deployed in government networks, as well as the provenance of all the code that makes up that software, a practice in the cybersecurity network known as software nomenclature, or SBOM.
The first update of this document was released on Thursday.
“The other aspect of the coin, just as vital and worth being aware of, is this concept around SBOM and making sure we can get it from our software vendors,” Hernandez said. “And in some sort of machine-readable format. “
The machine-readable facet is rarely very trivial, Hernandez said, as agencies lack time and resources when faced with a security or vulnerability incident.
“When the next Log4j arrives, we need to be able to access our [governance, threats and compliance] tool, run a search, and see what specific component has been built in so we can start taking action without delay,” he said. said. ” It’s going to be an overall difference from what happened last time, which is that I brought software progression groups to my [security operations center] to start on other systems and see if they were affected. “
Normally, those groups would carry out or create programs to fulfill the education project, rather than looking for possible security holes.
Beyond the short term, Hernandez warned that long-term executive orders may touch on the implications of quantum computing on cybersecurity, to complement a pair of executive orders on the subject released this week, and synthetic intelligence, which has also been the topic of the past. Executive Orders. .
Help us personalize the particular content for you: