The Significance of the Cybersecurity Executive Order and the Role of SBOMs
In May 2021, the White House issued the Cybersecurity Executive Order for National Cybersecurity, which aimed to transform software development practices across industries. While the order specifically applied to those doing business with the US federal government, it was expected to lead to the standardization of security practices throughout the software development life cycle, not just in federal dealings.
One of the key requirements outlined in the executive order was the need for suppliers of software and software-driven products to certify their compliance with the order’s guidelines. These guidelines focused on software composition analysis (SCA), securing the software chain, and software bills of materials (SBOMs). The order suggested that developers provide SBOMs for all products and track the provenance of both internal and third-party software components.
CISA‘s Secure Software Development Attestation Form (SSDF)
To enforce the requirements of the executive order, the Cybersecurity and Infrastructure Security Agency (CISA) recently released a Secure Software Development Attestation Form (SSDF) for suppliers to the federal government to self-report their compliance. However, this move has caused some confusion, with some mistakenly assuming that SBOMs are being de-emphasized because they are not explicitly required.
Contrary to this misconception, CISA‘s SSDF actually solidifies the role of SBOMs as the first line of defense for software security. The guidance provided by CISA heavily relies on the National Institute of Standards and Technology (NIST), particularly its Secure Software Development Framework (SSDF), which outlines fundamental best practices in software development.
Navigating Legacy Software and Compliance with NIST Guidance
While the SSDF is a valuable framework for developing compliant software going forward, retrofitting legacy software or altering products already in the development pipeline to fully conform to the NIST guidance presents challenges. Acknowledging this, NIST mapped the requirements of the executive order to the SSDF guidance, specifically emphasizing the need to establish secure software development environments, provide SBOMs for each product, and maintain a trusted source of code supply chain.
The Continued Importance of SBOMs
Despite initial appearances, CISA‘s Self Attestation Form does not undermine the significance of SBOMs as a critical artifact for software developers to document compliance with the cybersecurity mandate. On the contrary, SBOMs remain an essential element for satisfying federal requirements, along with application security testing technologies such as static application security testing (SAST) and dynamic application security testing (DAST).
CISA only requires that suppliers to the federal government state their adherence to specific aspects of the SSDF, including the use of SBOMs, as a means of confirming their vulnerability detection and remediation handling. Skipping the use of SBOMs to document third-party software inventory and vulnerability exposure would be a risky move, as SBOMs play a vital role in detailing software components, itemizing dependencies, and identifying known vulnerabilities.
CISA‘s instructions emphasize that establishing and maintaining processes for producing and updating SBOMs can serve as a means for software producers to demonstrate compliance with certain minimum requirements. Additionally, the self-attestation requirement alleviates concerns over public disclosure among suppliers, as the SBOMs are only required to be available for review rather than published, ensuring security and intellectual property protection.
The Role of Automation and Artifact Management
The Secure Software Development Attestation Form also clarifies the use of tools and artifacts to improve software supply chain security. It mandates a “good-faith effort to maintain trusted source code supply chains” using automation and taking reasonable steps to address the security of third-party components and manage related vulnerabilities.
Furthermore, the form highlights the importance of automation in detecting and remediating vulnerabilities, extending its scope beyond third-party code to security vulnerabilities that may arise during development. This supports the use of not only SCA but also SAST, DAST, and other tools to enhance overall software security.
Conclusion: Enacting New Standards and Ensuring Compliance
It is important not to overlook the continued significance of SBOMs as the primary artifact for software developers to document compliance with the White House’s cybersecurity mandate. The recent release of CISA‘s Secure Software Development Attestation Form reinforces the importance of SBOMs and clarifies their role in meeting federal requirements.
Delays in implementing these new standards and measures to improve software supply chain security only increase the risks associated with noncompliance. Software developers and suppliers must prioritize adhering to the executive order’s guidelines, utilizing SBOMs, and employing application security testing technologies to proactively address vulnerabilities and ensure the integrity and security of their software products.
<< photo by kat wilcox >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Election Security: Progress and Challenges Ahead for 2024
- Bugs Unveiling Their Magnificent Monikers
- The Evolving Landscape of Cybersecurity: European Firm QuoIntelligence Secures $5.5 Million in Seed Funding
- GameOver(lay): The Unveiling of Two Critical Linux Weaknesses Endangers Nearly Half of Ubuntu Users
- Ubuntu Cloud Workloads Face Critical Vulnerabilities: Assessing the Impact and Mitigation Measures
- Shipping Secure Software: Exploring the Risks and Rewards of Software Supply Chain Security
- The Vulnerable Workout: Unveiling the Security Risks of Peloton Fitness Equipment
