Agencies should not simply trust software vendors’ security assurances, IG warns

A key adviser to the National Institute of Standards and Technology expressed skepticism at a recent meeting about a policy that encourages agencies to accept the security promises of software vendors.

The sentiment may be widely felt but rarely expressed by individual federal officials, and has sparked discussion about what might come next in the administration’s efforts to avoid a repeat of the infamous SolarWinds hack.

“You can’t just trust vendors, we have to stop this,” said Brett Baker, inspector general for the US Archives and Records Administration. “Somebody had to say it,” he added.

Baker’s comments came Wednesday in a conversation with Steve Lipner on the sidelines of a meeting of NIST’s Information Security Privacy Advisory Board they attended nextgov. Baker and Lipner, executive director of SAFECode — a nonprofit created by major technology companies to coordinate their security efforts — are both board members. Lipner, who previously worked for many years in security at Microsoft, is chairman of the board.

The two followed Baker’s reaction during the meeting to a briefing the board received on M-22-18, the OMB memo issued to agencies under President Joe Biden’s executive order to improve the nation’s cybersecurity. That order came after the SolarWinds breach, which was part of a campaign that compromised the security of at least nine federal agencies and more than a hundred companies.

SolarWinds IT management software is everywhere in the federal government. After hackers penetrated the firm’s delivery engine and managed to insert malware undetected into a routine update, thousands of their customers installed it and became vulnerable to unauthorized access.

The executive order details a set of security practices — such as “establishing multi-factor, risk-based authentication and conditional access across the enterprise” — that it says should be included in the software development guidelines that NIST will issue. And it instructed the OMB director to “take appropriate steps to require agencies to comply with such guidelines” in the purchase and use of software.

When NIST issued its guidance in February, it recommended that agencies err on the side of caution and let software vendors self-certify that they follow secure software development practices. OMB followed suit with M-22-18 in September, requiring agencies to collect a signed self-certification form — to be developed by the Cybersecurity and Infrastructure Security Agency — from their software vendors.

“You’ve got to remember that they’re sending the government a form signed by, you know, senior professionals in their organization attesting to certain standards, so that’s something that I hope the software manufacturers take fairly seriously before they sign that final order,” said Mitch Hurkiss, the OMB official who is delivering the briefing. Herkiss, who is director of federal cybersecurity in the Office of the Federal Chief Information Officer, said the office is also looking to accelerate promises while avoiding burdens on industry stakeholders and reducing the number of federal contractors.

The OMB memo leaves it up to agencies to determine whether they should require vendors to undergo a third-party security assessment. It also makes it optional to collect evidence that would support vendor attestation—artifacts such as software specifications, log entries, and reports from source code vulnerability scans and other tests.

Baker said nextgov collecting such artifacts “would be useful for agencies to gain more insight into whether or not they should trust this vendor.”

During the meeting, he asked Herckis why OMB chose to rely solely on the word of software vendors in issuing its requirements to agencies.

“They do these things just to give confidence to people who invest in them, but they actually have insecure applications and software,” Baker said, referring to standards that allow self-assessment to indicate compliance with security controls in private sector. “It just seems like, given SolarWinds a couple of years ago, do we want to get into maybe a little bit more oversight and assurances?” … I’m just saying that self-esteem is not enough.”

Lipner beat back Herckis, using his position as chairman to step in and highlight problems with third-party security assessments.

The most likely “result is that you get documentation that basically outsources your confidence,” he said. Lipner also pointed to the fact that SolarWinds has been evaluated for security by a third party under the common criteria scheme before its software was breached.

One high-profile example that demonstrates how challenging implementing a successful third-party assessment system can be is the Cybersecurity Maturity Model Certification Program. The Defense Department launched the initiative, citing a lack of confidence in similar self-certification forms that defense contractors are already required to submit pledging to adhere to security standards from NIST. The Biden administration suspended the program last November amid controversy over conflict-of-interest issues and opposition from major information technology vendors.

Other stakeholders, such as Sen. Rob Portman, R-Ohio and Peter Zatko, Twitter’s former head of security, also recently identified the current dynamic around third-party cybersecurity certification in the US as problematic.

Testifying before Congress, Zatko raised the conflict-of-interest implications for organizations hiring their own appraisers. He also explained how easy it was for Twitter to avoid the FTC’s enforcement process, which relies on evaluators simply asking a series of questions rather than getting the “ground truth” about an enterprise’s security through the use of subject-matter auditing standards.

Baker, who holds a doctorate in information technology and systems management, has been relatively reserved during his five-year tenure on the NIST board. But on Wednesday, he continued to hammer home his point.

“You have to have tests to make sure the controls are working properly,” he said, noting the lessons the inspector general community has learned evolving from a similar question-based approach to checking agencies’ compliance with the Federal Management Act of information security. “That’s kind of where I’m at with him.”

Lipner disagrees about the value of testing. After the briefing, he tried to reconcile his position with Baker, arguing that the certifications vendors make about their security can be used to hold them publicly accountable — and set an example for others — by choosing independent auditing firms. .

He said nextgov that effectively addressing the demand for higher assurance is a matter of scale, as high-level capabilities are required to make appropriate assessments.

There is “[errors] that you can find, but they’re not trivial to find, and you can’t just hire people en masse to do it,” Lippner said.

Asked how agencies can choose vendors to audit, Lipner said that “even by accident it’s not bad, but you can do better than that.” He pointed to the value of security researchers in finding inconsistencies in a vendor’s stated security practices and a record of cybersecurity incidents as factors that could trigger an audit.

The next stage of the executive order administration officials are working on is the Federal Regulatory Board’s proposal for new procurement rules for the acquisition of cementing — and potentially adding to — M-22-18.

Ultimately, Lipner said, “I think there has to be some basis for [audits] and maybe that comes in the FAR manual or what have you. If you’re selling to the government, you’re somewhat subject to the government’s rules, as I understand it.”

Under the executive order, OMB was required to submit recommendations to the FAR Board, as well as an OMB representative chairs the body. Baker said nextgov the agency has the ability to empower agencies to take a proactive, evidence-based approach to securing their software.

“The memo that came out is a start,” he said. “I’m not saying it’s not the right direction, it’s better than where we were a few months ago. It’s a process. Perhaps over time, OMB can do more.