The US government has recently implemented new software security requirements that will impact organizations selling software to government agencies. Many leaders are uncertain about the potential impact of these requirements on their organizations. To shed some light on the situation, this article will provide an overview of the key concepts related to these new requirements and explain how organizations can protect their government business and remain in compliance.
In recent years, there have been significant security incidents that have drawn attention to the importance of software security. High-profile incidents such as the SolarWinds cyberattack and the Log4j vulnerability have prompted the US government to prioritize software security. This focus on software security culminated in the issuance of White House Executive Order 14028 in May 2021, which aimed to improve the nation’s cybersecurity. This executive order set the stage for a series of actions and requirements that impact software suppliers to the government.
Under these new requirements, organizations selling software to the US government must self-attest that they adhere to the secure software development practices outlined in the NIST Secure Software Development Framework. It is important to note that this attestation requirement extends not only to the software code that organizations write themselves but also to the open source components they incorporate into their applications.
To reinforce these requirements, the government released OMB memorandum M-23-16 in early June, further emphasizing the importance of compliance. This memorandum established deadlines for compliance, which are fast approaching. Critical software must be in compliance by the fourth quarter of this year, while all other software must comply by the first quarter of next year.
Organizations now face the challenge of understanding and implementing these new attestation requirements within tight deadlines. Notably, compliance with the NIST SSDF can be complex and time-consuming, as it requires organizations to ensure adherence to security practices and document them in detail.
One particularly challenging aspect of compliance involves open source components. Modern software often incorporates a significant number of open source components, alongside custom code. Surveys have shown that over 90% of applications contain open source components, with open source code comprising more than 70% of the codebase in many cases.
Achieving compliance with the security practices of open source components poses a significant challenge. Open source maintainers, who often contribute to open source projects as unpaid volunteers, may lack the resources or capacity to validate their security practices against the rigorous standards outlined in the NIST SSDF. Given the prevalence of open source components in modern software development, avoiding their use is not a viable solution.
One possible approach to address this challenge is to ensure that open source maintainers receive financial support to perform important security work. Organizations can conduct additional research to identify open source components with maintainers who are being paid, either through corporate benefactors, foundations, or commercial initiatives, to ensure that their packages meet the required security standards. Alternatively, organizations can establish partnerships with open source maintainers and provide corporate sponsorship for their work. However, given the numerous open source dependencies in most modern applications, scaling this approach can be labor-intensive.
While compliance with the new software security requirements may be challenging, they represent a crucial step forward in addressing security vulnerabilities that pose significant risks to both the public and private sectors. As the largest buyer of goods and services, including IT, the US government wields significant purchasing power to drive improvements in software security standards. By leveraging its influence, the government aims to create a safer and more secure future for all.