The recent cybersecurity executive order issued by the Biden administration this week mirrors the requirements of a previous order for software supply chain security and secure software development after facing industry delays for three years.
Back in 2021, President Joe Biden signed executive order 14028, mandating software suppliers to provide software bills of materials (SBOMs) to federal government agencies. These SBOMs are machine-readable manifests that detail software components and dependencies. The Cybersecurity and Infrastructure Security Agency (CISA) was tasked with creating a process for suppliers to confirm the contents and security of their products.
Initially, CISA’s draft of a self-attestation form for suppliers included a specific SBOM requirement. However, after consultations with industry leaders and a public comment period, the final version of the form released last year omitted the term SBOM. Instead, the form required software vendor executives to attest in writing to the security of their products, disappointing SBOM advocates like Joshua Corman, who has long advocated for SBOMs in the federal government’s software supply chain security efforts.
The new cybersecurity executive order comes across as a final effort to uphold the original intention of executive order 14028 before a new presidential administration takes over. This order reinstates the requirement for specific data to be provided by federal suppliers, though SBOMs are not explicitly mentioned. Within 30 days, the directors of CISA and NIST are required to recommend contract language that mandates software providers to submit machine-readable secure software development attestations, high-level artifacts to validate those attestations, and a list of the providers’ Federal Civilian Executive Branch (FCEB) agency software customers to CISA’s Repository for Software Attestation and Artifacts (RSAA).
Moreover, within 120 days, multiple federal agencies must update the Federal Acquisition Regulation to include the new language. The order also calls for updates to the NIST Secure Software Development Framework and incorporates the requirements into CISA’s self-attestation process, covering aspects such as patching and following secure software development best practices.
The order also tasks the National Cyber Director with referring failed attestations to the Attorney General for appropriate action, adding enforcement teeth to the efforts. This move has been seen as a significant step by experts like Brian Fox, Co-founder and CTO of Sonatype, who believes it will provide actual consequences for false attestations.
However, there is still a degree of ambiguity regarding how the new order will be interpreted by suppliers and federal officials. The phrase “high-level artifacts to validate those attestations” leaves room for different interpretations. While some experts like Joshua Corman hope that this could lead to more SBOMs being provided, others like Chris Hughes see this as an opportunity for agencies to gain more detailed insights into the secure delivery of software.
Looking ahead, experts like Dan Lorenc believe there is room for improvement and further evolution in the self-attestation programs to enhance enforceability and incorporate more actionable controls. The potential for future advancements in the program, similar to FedRAMP, could help strengthen cybersecurity efforts.
In conclusion, the new cybersecurity executive order represents a crucial step towards enhancing software supply chain security and secure software development in the federal government. However, the success of these efforts will depend on the interpretation and implementation of the order by all stakeholders involved.