Revised guidelines issued by the National Institute of Standards and Technology, issued in accordance with President Joe Biden’s executive order on cybersecurity, direct agencies to existing measures managed by the Office of the Federal Risk Management Program and Permissions of the Common Services Administration, or FedRAMP.
All presidential administrations, returning to President Barack Obama, forced federal agencies to use cloud service providers more widely to cut costs, and FedRAMP was their way of checking that security was not sacrificed in the process. This includes third-party certification of security practices for cloud providers and is a mandatory step for any agency that wants to purchase cloud services. However, the program is not fully implemented or monitored for compliance by the Office of Management and Budget, according to GAO.
“The external system service providers discussed in this publication include cloud service providers,” The revised NIST manual reads. “This publication does not replace the guidance provided on the assessments of federal security agencies for cloud service providers. When applying this publication to cloud service providers, federal agencies must first use the Federal Cloud Program Risk and Authorization Security Guidelines and then apply this document to those processes and controls that are not addressed by FedRAMP.
FedRAMP presents its own challenges, but the problem of third-party certification against vendor self-certification seems to be coming to the fore, and the administration may soon issue further instructions to agencies on the security of the software supply chain.
The guide released on Thursday is aimed at organizations that purchase and implement software and other elements of the supply chain in their environments.
“The main audience for the revised publication is buyers and end users of products, software and services,” NIST said in a press release. “Management helps organizations develop risk considerations and requirements in the cybersecurity supply chain in their acquisition processes and emphasizes the importance of monitoring risk. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, management is already addressing potential vulnerabilities, such as the sources of code in a product or the retailers that carry it.
At a recent event marking the release of the document, Angela Smith of NIST said the document was beginning to look at these key elements themselves and that more such guidelines focused less on what unifiers need to do and more on what needs to be done. serve suppliers of the supply chain be doing — is on NIST’s to-do list.
NIST’s focus on the procurement process is due to the Biden administration’s approach to cybersecurity, which has since become a poster for attacks in the supply chain: SolarWinds.
The perpetrators of the attack, which sparked a storm of policy-making in the White House and Congress, also used the federal services of Microsoft Active Directory to move sideways through victims’ networks. But reports of weak security in the SolarWinds development and delivery environment – such as the use of the SolarWinds123 password – have raised more eyebrows about the responsibility of government software vendors.
Executive Order 14028 requires agencies to ask future vendors for a Software Specification – this can be seen as a list of code library components that can allow buyers to get a better idea of any vulnerabilities that are integrated into the products.
It also sets out specific elements of cybersecurity that need to be included in software development, such as the proper provision of building environments with tools such as multifactor authentication. These elements are covered in the NIST security software development framework, which NIST also released as a special publication in accordance with the executive order.
With the exception of the most critical systems, which must do as they see fit, NIST said agencies should make the mistake of accepting the word – rather than requiring artifacts that would act as evidence – to their software vendors regarding the application of such security measures.