The U.S. government is moving quickly and aggressively to address cybersecurity vulnerabilities affecting both the federal government and the private sector.
In a sweeping executive order (EO), President Joseph Biden has directed federal agencies to set up multiple programs designed to mitigate the kinds of recent cybersecurity attacks that have gained national attention.
The information technology sector, including companies that are directly and indirectly involved in providing IT products and services to the federal government, will be especially affected by the provisions of Biden’s “Executive Order on Improving the Nation’s Cybersecurity.”
The United States “faces persistent and increasingly sophisticated malicious cyber campaigns,” the president declared when he issued the EO on May 12, 2021. “Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” he said.
Plan Embraces Multiple Cyber Mechanisms
The EO set forth several goals for improving cybersecurity within the federal government including strengthening standards and bolstering detection. The directive also calls for improving cyber information sharing between the government and businesses, and the establishment of a Cybersecurity Safety Review Board, modeled after the National Transportation Safety Board.
In general, the IT and business communities supported the Biden plan — but mainly in the context that the EO was a first step and would require significant private sector input. Aaron Cooper, vice president of global policy at BSA | The Software Alliance, said the group was “impressed by the breadth and boldness of this executive order,” while noting that BSA was open “to working with the Administration on implementation and to promoting software security practices both in and out of the government.”
In a similar vein, Jason Oxman, president of the Information Technology Industry Council (ITI) applauded the initiative while noting that his organization anticipates collaborating with the Administration to enhance security “while minimizing any potential impact on privacy, civil liberties, and U.S. competitiveness.”
Software Tracking Sparks Vendor Attention
Importantly, the initiative required the issuance of a document describing the “minimal elements” of a Software Bill of Materials (SBOM) which federal agencies can use to ensure cyber protection in contracting with vendors for the procurement of IT products and services.
The EO aimed at incorporating an SBOM protective scheme into federal IT and operational technology (OT) contract procurements within a year, through the federal acquisition regulation (FAR) process.
That procurement impact likely drove the submission of more than 80 comments to the National Telecommunications and Information Administration (NTIA), an agency within the Department of Commerce. The executive order charged NTIA with defining the scope of an SBOM program for use in federal contracting. NTIA complied with the issuance of an SBOM guidance and requirement report on July 12.
“An SBOM is a formal record containing the details and supply chain relationships of various components used in building software,” according to NTIA. The risk theory attached to SBOMs is that the more a software user or customer knows about the building blocks of a software product or service — the elements — the more capable the user will be in detecting vulnerabilities associated with each element.
“Though an SBOM won’t solve all software security problems, it offers the potential to track known newly emerged vulnerabilities and risks, and it can form a foundational data layer on which further security tools, practices, and assurances can be built,” said Allan Friedman, NTIA’s Director of Cybersecurity Initiatives.
Sense of Urgency
In the Executive Order, the government contended that such disclosures are sorely lacking in the federal IT acquisition process, and there is a “pressing need” to remedy the situation.
“The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors,” the EO said.
The detailed prescriptive nature of the EO may, at first glance, appear to be an exercise of getting too much into the weeds of federal IT procurement.
However, Eric Byres, founder and chief technology officer at Adolus, a software security services provider, said in a blog posting that “I’ll start with the observation that securing the software supply chain is arguably the major focus of this executive order.” Noting the impact of the recent Solar Winds breach of federal IT, “that kind of widespread havoc was certain to set the tone for this EO,” he said.
In its comments to NTIA prior to the agency’s July 12 release of the SBOM document, the Internet Association (IA) supported the effort, but said that while the NTIA approach may make sense for conventional software running on customer premises, it “does not sufficiently account for some of the unique elements inherent in cloud services.”
IA reasoned that ‘as a service’ delivery mechanisms “present a different use case,” adding that since the code base changes at a rapid pace with cloud deployments, such references may become obsolete “almost immediately.” IA urged NTIA to address this issue by utilizing the existing government cloud procurement tool called FedRAMP to incorporate SBOM protocols.
“SBOMs are an important transparency enhancing tool but should not be misconstrued as a mechanism to improve secure software development practices. Importantly, NTIA should not try to solve the entire complex supply chain security challenge through SBOMs, but should instead focus on making them viable by keeping their minimum elements as simple as possible,” said John Miller, senior vice president of policy and general counsel at ITI.
NTIA should consider SBOM protections as just one aspect of a “holistic” approach to cybersecurity issues, ITI said in its comments to NTIA.
Much To Discuss
More specifically, ITI took a cautious view on standardizing certain aspects of security, including references to common exposure vulnerabilities (CVEs) used to identify security flaws because “not all vendors have the same business model or the same mechanisms to provide information about vulnerabilities in software.”
While the NTIA approach envisions the use of SBOMs in federal contracting, within a year, implementation could well involve more dialogue. The Internet Association noted that while its concerns about “as a service” and cloud-based deployments were not specifically addressed by NTIA, “the intention to address them in the future is encouraging.” NTIA left the door open for more discussion through an iterative process.
In a statement provided to the E-Commerce Times by spokesperson Christina Martin, IA noted “there was a call for continued public and private cooperation” in NTIA and National Institute of Standards and Technology (NIST) documents, especially as it relates to applying SBOM and developer verification standards to cloud-based services.
Industry input “will be especially important for any changes to the FAR or procurement processes, so we hope the public comment process that is typically used for changes to the FAR will be followed,” IA said.
“We’re encouraged NTIA has indicated it will continue to engage industry stakeholders and build on the process for defining critical elements of a Software Bill of Materials. We look forward to working with them on this effort,” Courtney Lang, senior director of policy for ITI told the E-Commerce Times.
Whatever direction the U.S. government takes regarding software security issues related to SBOM, the program is already having an impact in the private sector.
For the short term, the NTIA’s July 2021 report “will be the definitive document for federal regulations,” said Byres. “But it will quickly be superseded by market-driven enhancements. Now that the federal government has set the SBOM ball rolling, we are seeing numerous large companies also demanding SBOMs from their suppliers,” he told the E-Commerce Times.