Experts Reaction On White House Releases Post-SolarWinds Federal Software Security Requirements

It has been reported that agencies will require software vendors to self-certify that they’re following secure development practices under new White House guidance, but it leaves the door open for departments to mandate third-party security assessments as well. The new guidance from the Office of Management and Budget, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” stems from last year’s cybersecurity executive order. It applies to agencies’ use of third-party software, in turn affecting the vast array of contractors and software producers in the federal procurement ecosystem.

Subscribe
Notify of
guest

3 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Mark Stamford
Mark Stamford , Founder
InfoSec Expert
September 20, 2022 12:08 pm

The problem here is who sets the standards? If we need to use software build using secure development process, who is setting that? And how do we enforce it? And what about organizations that can’t comply (I.e small businesses) so is this going to lead to the usual suspects being acceptable and everyone else not? This will have a long term, net negative effect on our nations security.

Last edited 2 months ago by Mark Stamford
James McQuiggan
James McQuiggan , Security Awareness Advocate
InfoSec Expert
September 15, 2022 1:10 pm

The documents coming forthwith are guidance and not regulation. Unlike the FEDRamp compliance, where it’s mandatory, this supply chain security is written as guidance. It should be integrated with the FEDRamp compliance to ensure that all organisations providing software or software services to the government comply with the criteria in the soon-to-be-published guidance. Included in the guidance is a requirement of training. However, this training is not to develop secure software but to understand the guidance and how to implement it within the supporting organisation. If organisations can provide Secure Development LifeCycle (SDLC) training to their developers and integrate those concepts into their organisation’s culture, it will effectively improve the quality of the software. Having security top of mind and embedded into the culture for all users can reduce the risk of data breaches, leaks, and misconfigured software.

Last edited 2 months ago by James McQuiggan
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
September 15, 2022 1:09 pm

Yesterday’s Office of Management and Budget memo is an indication that the government is taking supply chain risk seriously and beginning to tackle this enormous problem. This is one of those things where doing nothing draws no attention but doing something begs the question of “is this enough?” The answer is always no to that, by the way, because the opponent is always at work. For that reason, something is significant. What matters, though, is how we build on this. There is no one requirement or one thing that will make it all alright. Security is about building on what is laid down and about the rate of improvement. This says that the government is in the game, and it’s time to get the innovation started.

Last edited 2 months ago by Sam Curry
Information Security Buzz
3
0
Would love your thoughts, please comment.x
()
x