Citing nation-state threats the outgoing Biden administration signed Executive Order 14144 just days before the end of President Biden’s term. The executive order, Strengthening and Promoting Innovation in the Nation’s Cybersecurity, takes several steps aimed at tightening cybersecurity among federal agencies. Most noteworthy were provisions addressing the security of third-party software that could have a far-reaching impact on software security more broadly, and further the use of software bills of materials (SBOM) at the federal level.
On its first day in office, the Trump administration did revoke dozens of executive orders put into place by the Biden administration, but there’s no indication EO 14144 was impacted by the actions of the new administration.
The executive order mandates new layers of transparency and accountability for software providers that work with federal agencies. Key provisions include the requirement of software vendors to submit machine-readable secure software development attestations and provide high-level artifacts validating their security practices. The Cybersecurity and Infrastructure Security Agency (CISA) will centrally verify these attestations, with the potential to publicly identify and potentially refer providers with insufficient security measures to the Attorney General.
Notably, the order establishes strict requirements for software development, including the creation of a consortium to develop guidance on secure software development practices. Federal agencies will be required to use only software from providers who can demonstrate robust security protocols, with a particular focus on addressing known exploitable vulnerabilities.
In its analysis of the order, research firm Forrester advises stakeholders not to wait to begin to comply.
“This EO will require a heavier lift than just updating policies and controls. This is especially relevant in areas such as third-party software supply chains if agencies are to meet its intent “integrate cybersecurity supply chain risk management programs into enterprise-wide risk management activities,” a team of Forrester’s security analysts wrote.
Forrester advises affected organizations to gather data, anticipate actions from CISA and others, and noted that the Biden administration’s 2021 cybersecurity EO took considerable effort to comply. Forrester expects this EO to do so as well.
“This EO will require a heavier lift than just updating policies and controls. This is especially relevant in areas such as third-party software supply chains if agencies are to meet its intent “integrate cybersecurity supply chain risk management programs into enterprise-wide risk management activities."
—Forrester
The research firm also advised software makers to keep an eye out for the National Institute of Standards and Technology (NIST) to update its Secure Software Development Framework (SSDF) and to expect SBOMs to play a key role in software artifact attestations.
“Private-sector partners will also have a critical role in supporting departments and agencies by demonstrating their own commitment to the new cybersecurity requirements among the products and services that they provide to the government,” Forrester wrote.
Chris Wysopal, chief security evangelist at software security provider Veracode said it could be a challenge for software makers to implement all their mandated practices.
“I think it is hard to implement all of the practices in the CISA attestation form but without them you are likely not delivering secure software and it is understandable if customers requiring assurance don't want to purchase your software,” said Wysopal. “That is the part that software vendors need to understand. There are vendors that do have these practices and now you are competing on security practices with them,” he said.
"The new requirements make it necessary to perform good software security practices for all of the software you sell to the federal government. Non-federal government customers will [also] benefit from this.”
—Chris Wysopal, Veracode
Wysopal added that he believes the actions called for in the EO will help improve the security of the software sold to the federal government and that it will also improve software security more broadly.
“When there are specific requirements that need to be met and documented they tend to get done. There are a lot of vendors that perform secure development in a spotty way, on some of their products. The new requirements make it necessary to perform good software security practices for all of the software you sell to the federal government. Non-federal government customers will [also] benefit from this,” he said.
In addition to the software supply chain security enhancements, the EO contained a broad swath of security requirements. Specifically, the EO called for the launch of pilot programs to use AI for cyber defenses, encourage digital identity document acceptance, and to take steps to prepare for the transition to quantum cryptography, improve the security of networked communications, and calls for agencies to continuously verify the security posture of space systems.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
