It has been reported that agencies will require software vendors to self-certify that they’re following secure development practices under new White House guidance, but it leaves the door open for departments to mandate third-party security assessments as well. The new guidance from the Office of Management and Budget, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” stems from last year’s cybersecurity executive order. It applies to agencies’ use of third-party software, in turn affecting the vast array of contractors and software producers in the federal procurement ecosystem.
The problem here is who sets the standards? If we need to use software build using secure development process, who is setting that? And how do we enforce it? And what about organizations that can’t comply (I.e small businesses) so is this going to lead to the usual suspects being acceptable and everyone else not? This will have a long term, net negative effect on our nations security.
The documents coming forthwith are guidance and not regulation. Unlike the FEDRamp compliance, where it’s mandatory, this supply chain security is written as guidance. It should be integrated with the FEDRamp compliance to ensure that all organisations providing software or software services to the government comply with the criteria in the soon-to-be-published guidance. Included in the guidance is a requirement of training. However, this training is not to develop secure software but to understand the guidance and how to implement it within the supporting organisation. If organisations can provide Secure Development LifeCycle (SDLC) training to their developers and integrate those concepts into their organisation’s culture, it will effectively improve the quality of the software. Having security top of mind and embedded into the culture for all users can reduce the risk of data breaches, leaks, and misconfigured software.
Yesterday’s Office of Management and Budget memo is an indication that the government is taking supply chain risk seriously and beginning to tackle this enormous problem. This is one of those things where doing nothing draws no attention but doing something begs the question of “is this enough?” The answer is always no to that, by the way, because the opponent is always at work. For that reason, something is significant. What matters, though, is how we build on this. There is no one requirement or one thing that will make it all alright. Security is about building on what is laid down and about the rate of improvement. This says that the government is in the game, and it’s time to get the innovation started.