The Office of Management and Budget is preparing to release new requirements for the software supply chain and cybersecurity, according to a senior federal cybersecurity officer.
While discussing future federal cybersecurity priorities during a Nextgov Thursday’s event, Stephen Hernandez, chief information security officer in the education department and chairman of the CISO Federal Council, said a new term in the software supply chain was imminent.
“I would not be surprised to hear anything from you in the coming weeks [the Office of Management and Budget] for what they want to do in the software space, in terms of the next step and upgrade on what [the National Institute for Standards and Technology] turn it off, “he said.
Encouraged to elaborate, Hernandez said politicians are working to codify NIST’s efforts and other government pockets aimed at cybersecurity, such as the Cybersecurity and Infrastructure Security Agency or CISA, to help agencies understand the origins of the software used. in government networks and detain suppliers. is responsible for maintaining the security of this code.
“We will see a lot more discussions about software,” Hernandez said. “NIST has done a fantastic job of releasing the first version of Secure software development framework and I think the next step will be the agencies that will now have to start dealing with that and say, ‘Hey, vendors, you’re critical software. We will need you to talk to us and explain how you meet the requirements of the security software development framework. ”
The agencies are already under a mandate from an executive order of May 2021 to adhere to the framework, although the forthcoming political order may provide further guidance and strength to this requirement. OMB officials have previously said that such guidelines should address whether suppliers should be allowed to provide information in self-assessment or required to provide it through third-party verifiers, as in other programs such as certification. the Department of Defense or CMMC cybersecurity maturity model, and the Federal Administration’s Common Risk Management Program or FedRAMP.
Hernandez also cites a special publication in NIST 800-161, “Risk Chain Management Practices in Cyberspace for Systems and Organizations,” which sets standards for ensuring security of software through the supply chain, including maintaining inventories. the software available on government networks, as well as the origin of all the code that makes up this software – a practice in the cybersecurity community known as the Software Materials List or SBOM.
The first update to this document was released on Thursday.
“The other side of this coin – just as important and should be right on the heels – is this idea around SBOM and ensuring that we can get it from our software vendors,” Hernandez said. “And, hopefully, in some kind of machine-readable format.”
The machine-readable aspect is not trivial, Hernandez said, as agencies often lack the time and resources to deal with an incident or security vulnerability.
“When the next Log4j comes out, we want to be able to move on to ours [governance, risk and compliance] tool, start a search and see what this particular component has in it so we can take action immediately, ”he said. “It will be a big difference from what happened last time, namely that I attracted software development teams to my [security operations center] to start looking at different programs to see if they are affected. “
On a normal day, these teams will maintain or create applications to fulfill the mission of Education, instead of pursuing potential security vulnerabilities.
Beyond the short term, Hernandez suggested that future executive orders could affect the cybersecurity implications of quantum computing – complementing a pair of orders issued this week – and artificial intelligence – which has also been at the heart of past executive orders.