Software supply chain security is now top-of-mind for software producers and consumers alike, given the dramatic increase in malicious packages (as noted in RL's The State of Software Supply Chain Security 2024 report), and steady growth in software supply chain attacks. And the private sector isn’t alone in taking notice of the epidemic.
The U.S. federal government has turned its attention to software supply chain security in recent years, and more recently has stepped up its guidance with more comprehensive initiatives like Secure by Design, and more specific guidance on tooling with the Enduring Security Framework's call for comprehensive binary analysis and reproducible builds.
What started with the White House’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028), has grown into a plethora of compliance and guidance initiatives that have shaped the federal government’s policies on software supply chain security. Three years after the EO’s initial release, these efforts have begun to take effect, forcing software producers — particularly those that do business with the federal government — to take notice.
However, it's not just software organizations working with the Federal Government who need to get up to speed on guidance and modernize their software supply chain security approach. The analyst firm Gartner’s guidance in its “Mitigate Enterprise Software Supply Chain Security Risks” report notes that the open-source communities and enterprises alike should to increase should their scrutiny of supply chain risks and take action to prioritize software supply chain security protections.
Here are 2023’s major federal initiatives related to software supply chain security, including a breakout of which items are guidelines versus mandates. Combined with our definitive timeline for software supply chain security guidance, teams can better assess what changes they need to make with their software security approaches in 2024.
[ Definitive timeline: Federal guidance on software supply chain security | Key takeaways: The State of Software Supply Chain Security 2024 ]
National Cybersecurity Strategy
March 2023 | Guidance
The National Cybersecurity Strategy (PDF) outlines the federal government’s continued efforts to improve the nation’s cybersecurity. The Strategy comprises five pillar areas that address the federal government’s goals, and is framed by two fundamental shifts: rebalancing the responsibility to defend cyberspace, and realigning incentives in favor of long-term investments.
Secure by Design
April 2023 | Guidance
Secure by Design, released by The Cybersecurity and Infrastructure Security Agency (CISA) along with 17 other U.S. and international partners, is an initiative that aims to rebalance the burdens caused by cybersecurity risk from the end-user to technology manufacturers and providers. The initiative asks software producers to take ownership at the executive level to ensure their products are intentionally made with security, and that security is also enabled after the product is manufactured and released. One key aim of Secure By Design is to shift liability from consumers of software to the producers.
Cybersecurity Information Sheet on Defending CI/CD Environments
June 2023 | Guidance
The Cybersecurity Information Sheet (CSI) on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments (PDF), released by CISA and the NSA, outlines recommendations and best practices for improving defenses in the software development, security, and operations (DevSecOps) process. It explains how to properly integrate security into CI/CD environments to ensure that security is not an afterthought for software products being developed. It also outlines what steps software publishers should take to continue actively hardening their software’s defenses post-build.
SEC Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
July 2023 | Mandate
The SEC released a set of rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” As of August 2023, SEC registrants will now have to disclose material cybersecurity incidents, and annually disclose “basic material information” about the company’s cybersecurity risk management, strategy, and governance practices. Information that needs to be disclosed could include updates on the state of software supply chain security at an organization, or details regarding a software supply chain attack that a company has suffered from.
Cybersecurity in Medical Devices
September 2023 | Mandate
The FDA released “Cybersecurity in Medical Devices: Quality System Consideration and Content of Premarket Submissions” as a reference document for device manufacturers who must now report on their medical devices’ cybersecurity, in accordance with part (f) of Sec. 524B in H.R.2617, which includes the use of software bills of materials (SBOMs). In addition to providing an SBOM that includes the medical device’s use of commercial, open-source and off-the-shelf software components, manufacturers will also need to disclose how they deal with cybersecurity vulnerability management.
Software Identification Ecosystem Option Analysis
October 2023 | Guidance
CISA put forward new guidelines for a “Software Identification Ecosystem,” with the goal of it being both a precise and generic resource that supports software “grouping.” A successful software identifier scheme should also include properties like software names and versions that are used in both SBOM creation and vulnerability management - two important use cases.
Recommended Practices for SBOM Consumption
November 2023 | Guidance
As a part of its second phase of the “Securing the Software Supply Chain” guide, the Enduring Security Framework Software Supply Chain Working Panel (ESF) released “Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption” (PDF). The document serves as an SBOM-specific follow-up to the first three parts of the “Securing the Software Supply Chain” guide, which are aimed at software developers, suppliers, and customers. All of these stakeholders should use the Guidance as a basis for describing, assessing and measuring security practices relative to the software lifecycle, as well as the acquisition, deployment, and operational phases of the software supply chain, respective to their unique responsibilities.
In 2024 and beyondthe Federal Government has indicated that it will continue to shape cybersecurity policy, including software supply chain security in several ways.
The CISA Strategic Plan for 2024-2026, released in August 2023, outlines the government’s efforts regarding active threats, future threats and improving the security of the software ecosystem.
Among other things, CISA said that it aims to:
- Increase the number of technology providers that have published detailed threat models that document both areas in need of increased security and potential threats/adversaries.
- Increase the number of technology providers that have implemented the NIST Secure Software Development Framework (SSDF) and the various security controls it entails.
- Increase the number of software producers that publish secure-by-design roadmaps for their product that lay out changes the producer is making to their software development processes, the measurement of software defect rates, as well as goals for improvement such as the transition to memory-safe programming languages.
- Increase the number of technology providers that regularly publish security relevant statistics such as multi-factor authentication (MFA) adoption, use of unsafe legacy protocols, and the prevalence of customers using unsupported product versions.
These efforts aim to increase engagement by software producers are sure to be accompanied by additional guidelines and mandates from federal agencies or regulatory bodies.
Focus on AI
CISA has also indicated that it will focus on security risks related to the adoption of Artificial Intelligence (AI) in the coming years, with initiatives designed to help organizations safely use AI to advance cybersecurity while also protecting them from AI-driven threats, or efforts by adversaries to manipulate or abuse AI systems. As with secure software development, CISA’s work to secure AI will build on NIST’s AI Risk Management Framework.