The Office of Management and Budget is preparing to release new requirements for the software supply chain and cybersecurity, according to a senior federal cybersecurity officer.
While discussing future federal cybersecurity priorities during a Nextgov Thursday’s event, Stephen Hernandez, chief information security officer in the education department and chairman of the CISO Federal Council, said a new term in the software supply chain was imminent.
“I would not be surprised to hear anything from you in the coming weeks [the Office of Management and Budget] for what they want to do in the software space, in terms of the next step and upgrade on what [the National Institute for Standards and Technology] turn it off, “he said.
Encouraged to elaborate, Hernandez said politicians are working to codify NIST’s efforts and other government pockets aimed at cybersecurity, such as the Cybersecurity and Infrastructure Security Agency or CISA, to help agencies understand the origins of the software used. in government networks and detain suppliers. is responsible for maintaining the security of this code.
“We will see a lot more discussions about software,” Hernandez said. “NIST has done a fantastic job of releasing the first version of Secure software development framework and I think the next step will be the agencies that will now have to start dealing with that and say, ‘Hey, vendors, you’re critical software. We will need you to talk to us and explain how you meet the requirements of the security software development framework. ”
The agencies are there is already a mandate from the May 2021 Executive Order to adhere to the framework, although the forthcoming political order may provide further guidance and force on this requirement. OMB employees have said before such guidelines should address whether providers should be allowed to provide information in self-assessment or required to provide it through third-party verifiers, as in other programs such as Certification of Maturity of the Cyber Security Model of the Ministry of Defense or CMMCand on The Federal Risk Authorization Program for Common Services or FedRAMP.
Hernandez also mentions Special publication of NIST 800-161, “Risk management practices in the cyberspace supply chain for systems and organizations”, which sets standards for ensuring the security of software through the supply chain, including maintaining an inventory of software deployed in government networks, as well as the origin of all code that makes up this software – a cybersecurity community practice known as a software list with materials or SBOM.
The first update to this document was released on Thursday.
“The other side of this coin – just as important and should be right on the heels – is this idea around SBOM and ensuring that we can get it from our software vendors,” Hernandez said. “And, hopefully, in some kind of machine-readable format.”
The machine-readable aspect is not trivial, Hernandez said, as agencies often lack the time and resources to deal with an incident or security vulnerability.
“When the next one Log4j hits, we wish we could basically go on our own [governance, risk and compliance] tool, start a search and see what this particular component has in it so we can take action immediately, ”he said. “It will be a big difference from what happened last time, namely that I attracted software development teams to my [security operations center] to start looking at different programs to see if they are affected. “
On a normal day, these teams will maintain or create applications to fulfill the mission of Education, instead of pursuing potential security vulnerabilities.
Beyond the short term, Hernandez suggested that future enforcement orders could affect the cybersecurity implications of quantum computing – complementing two orders on the subject issued this week– and artificial intelligence – which was the center of attention past enforcement ordersalso.