Improving the Nation's Cybersecurity
In May of 2021, President Joe Biden released an Executive Order (EO) on improving the nation’s cybersecurity. This EO directs Federal agencies to develop new security requirements for software vendors selling into the U.S. government. This has already had a major impact on global software development processes and lifecycles, even for organizations that do not sell into the Federal government.
Upcoming Milestones
(Section 4()) Commerce shall issue elements for a Software Bill of Materials (SBOM)
The SBOM will constitute a critical component of the eventual regulations issued under EO 14028. An SBOM is effectively an ingredients list (the components of code, libraries, modules, etc.) that makes up a particular piece of software. While some software providers write elements of their own code, much of their products contain components from or relationships to code written by third parties. The SBOM can reveal the origin/ownership for all those components and relationships.
(Section 4(r)) Commerce (acting through NIST) shall publish guidelines recommending minimum standards for testing of software code
In this document, NIST provided an outline of the basic techniques that software developers should already be employing to test the security and function of their code. This effectively established a “floor” for what we can expect to come from the regulations that will eventually be issued under EO 14028. While we are still waiting to see how detailed and rigorous those regulations will be, these minimum standards provide a reference point for what is still to come in the implementation of the EO.
(Section 4(c)) NIST shall issue preliminary guidance (based on input solicited under Section 4(b)) for enhancing software supply chain security
This will likely provide us the earliest sense of what regulations will eventually be issued under EO 14028. Under the heading of “preliminary” guidance, we anticipate that NIST will preview the focus, tenor, and degree of specificity that we will likely see in the final regulations.
(Section 4(e)) NIST shall issue guidance identifying practices to enhance the security of the software supply chain
Following the issuance (on November 8, 2021) of NIST’s preliminary guidance, we will be able to assess the strength and focus of the software industry’s reaction to the general direction of the regulations to be issued under EO 14028. The guidance issued on this day will reveal the extent to which NIST has had to adjust/recalibrate its plan for the regulations. This guidance should provide a good deal of clarity on where the final regulations will actually land.
Guides & Resources
Supply Chain Security Guidance
Guidance on The President's recent Executive Order on Improving the Nation's Cybersecurity and its impact on supply chain security for software and firmware developers and IoT device manufacturers.
SBOM Minimum Requirements
The NTIA has released SBOM minimum elements. Finite State Experts discuss the technical and logistical challenges in meeting them.
NIST defines "critical software"
Finite State General Counsel Eric Greenwald discusses affects on software and device vendors, even if they don't sell to the Federal government.
Finite State Platform Datasheet
See how the Finite State Platform can help your organization meet product security standards and requirements.
Important Milestones for EO 14028
President Biden issues Executive Order 14028
This is a monumental shift that had an immediate impact on global software development processes and lifecycles.
NIST Defines "Critical Software"
The first step was for NIST to determine which critical elements needed to be addressed first. This definition is expected to expand, and some agencies have discretion to require standards for components and systems that they themselves deem critical.
NTIA issues minimum elements for SBOM
This was the first step in determining what must be included in one of the EO's most critical initiatives: the Software Bill of Materials.
OMB requires agencies to comply with NIST Guidance for critical software
The EO directs NIST to issue guidance on security measures for critical software, and further directs the Office of Management and Budget (OMB) to require agencies to comply with that guidance.
NIST will issue preliminary guidance for enhancing software supply chain security
This will be a major step in setting standards for the future of software and device supply chain security.
Supply Chain Guidance
Gain insight into how to prepare for the new supply chain security standards resulting from Executive Order 14028.