On Wednesday, May 12, President Biden signed an extensive executive order (EO) to improve the size of U.S. cybersecurity. The OE is aimed at U.S. federal departments and agencies and federal contractors, but its impact and resulting standards are likely to have a much broader impact among critical global infrastructure sectors and related technology providers.
Influenced by a series of serious cyberattacks, the OE acts as a recognition that the United States will continue to face sophisticated cyber threats and progressively more serious impacts. Recent attacks affecting SolarWinds and Colonial Pipeline, in addition to attacks on health and other critical infrastructure sectors, have been highly disruptive and have also exposed significant vulnerabilities in the software supply chain.
And while the directives outlined in the OE will technically apply only to U.S. departments, agencies, and technology vendors, they are also likely to be adopted by broader categories of buyers and suppliers through critical infrastructures for use them as a “north star” for security expectations.
Both the U.S. government and private industry find it difficult to share intelligent information about threats. The OE recognizes the unique visibility that technology providers have of threat activity and wants to encourage greater exchange of intelligence on threats to advance economic and national security between sectors. In addition, the EO aims to expand non-compliance reporting expectations for software product and service providers, an important step toward reducing the window of opportunity that attackers must mount repeatable attacks on. multiple goals.
The requirements for U.S. federal agencies to implement zero-trust architectures and related endpoint detection, response, and logging practices underscore a reoriented security strategy around threat-based defense. It also recognizes continued exposure to the supply chain, encouraging both government and commercial sectors to act by assuming that threatening agents will, at some point, gain initial access.
While the guidelines set out in the OE are only in their early stages, it is not too early for technology providers to start preparing. In the spirit of not reinventing the wheel, specifically created secure software frameworks, such as the NIST Secure Software Development Framework (SSDF) and the Maturity Security Model (BSIMM), serve as valuable starting points for assessing the preparation for possible new standards resulting from OE providers should also seek guidance from the NCSC on supply chain security and the associated cyber advisory framework, however, as highlighted by the Security Violations Survey DMCS 2021 cybernetics, less than 15% of UK organizations currently maintain a formalized review process for their digital processes. supply chain. This reality underscores the magnitude of the cybersecurity challenge facing providers.
Software producers are also expected to have a more substantial understanding of how their software is authored, tested, and protected. This includes keeping an accurate record of the point of origin of each software component used in creating an application, corroborating test results and mitigated risks during testing, and implementing automated processes to maintain software supply chains. confidence throughout the software lifecycle. A list of software materials (SBOM), a key aspect of EO, provides a common framework for documenting and communicating elements of a given application to reduce code opacity, especially for open source third-party components. .
Technology vendors must also anticipate being targeted by a cyberattack, implement informed defense against threats, and implement and validate controls based on predicted malicious behavior. Understanding the anatomy of recent supply chain attacks and their associated tactics, techniques, and procedures (TTPs) ensures that advocates are better able to minimize risks to the software that fuels their business operations.
For their part, technology buyers should begin reviewing security frameworks such as SSDF and BSIMM and NCSC operating guidelines with a view to incorporating them into contractual requirements and SLAs with suppliers. Don’t forget independent validation and verification testing, as well as breach notification strategies, as in any supply chain the weakest link may not be within your organization.
An SBOM places a buyer to identify the risks associated with the components used within each application, such as vulnerabilities revealed through the U.S. National Vulnerability Database, a centralized public database of software vulnerabilities. Because vulnerability disclosures will occur over the life of the application, implementing an ongoing monitoring process that identifies new disclosures related to the content of the SBOM of an application is key to maintaining a fully deployed corrected. Buyers should seek attestation from suppliers when there are any questions about the applicability of any associated weakness, vulnerability, patch, or mitigation.
And finally, technology buyers and producers need to consider zero-confidence deployments in which users have access to a network service for a specific task and have to re-authenticate for new tasks. and where there is continuous monitoring of abnormal activity. Security planning must also reflect the principles of zero trust within the enterprise and software lifecycle to eliminate implicit trust in any network node or access point. Doing so complicates an opponent’s efforts to identify unique weaknesses between the boundaries of interconnected traditional networks, development environments, and cloud-enabled services.