This is the sixteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the cyber EO from June 2021 through July 2022. This blog describes key actions taken to implement the Cyber EO during August 2022.
Three Federal Agencies Issue Supply Chain Cybersecurity Guidance for Software Developers
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) issued a Recommended Practices Guide for Developers (“Developers’ Guide”) for securing the software supply chain on August 31, 2022. This guide is designed to inform implementation of the memorandum that was subsequently issued by the Office of Management and Budget (OMB) on September 14, 2022. That September 14 OMB Memorandum requires federal agencies to obtain self-attestations, and potentially artifacts such as Software Bills of Materials (SBOMs), from software vendors before using such software in agency information systems. The September 14 OMB Memorandum is the subject of a separate Covington blog post found here.
The Developers’ Guide includes separate sections addressing: (1) Developing Secure Code; (2) Verifying Third-Party Components; (3) Hardening the Build Environment; and (4) Delivering Code. It identifies certain areas where software supply chain vulnerabilities may exist, including (i) undocumented features or risky functionality, (ii) unknown and/or revisions to contractual, functionality or security assumptions between evaluation and deployment, (iii) supplier’s change of ownership and/or of geo-location, and (iv) poor supplier enterprise or development hygiene. Appendix A to the Developers’ Guide contains a cross-walk between the Guide’s use cases (scenarios) and the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) (Draft NIST SP 800-218 Version 1.1). Other appendices address supply chain levels for software artifacts (SLSA) and best practices regarding such artifacts.
The Developers’ Guide is the first of what will be a series of guides regarding the software supply chain lifecycle. The second in the series will be a recommended practices guide focused on software suppliers, and the third will focus on software customers, including federal government agencies. Each of these three guides was or will be prepared by the Enduring Security Framework, a public-private working group that operates under the auspices of the Critical Infrastructure Partnership Advisory Council.
New FAR Part 40 Governing Cyber Supply Chain Security
On August 31, the FAR Council quietly announced a major proposed change to the U.S. Government’s approach to regulating supply chain security: the Government will be issuing an entirely new FAR Part 40 to implement software supply chain security requirements outlined in Section 4(n)-(p) of the Cyber EO. Although few details of the forthcoming FAR Part 40 are available at this time, the stated purpose of the new FAR Part 40 would be to serve as a “single, consolidated location in the FAR for cybersecurity supply chain risk management requirements.” The Director of the Defense Acquisition Regulatory Council has tasked staff to draft a “final FAR rule,” on which a progress report is due October 12, 2022. Contractors would be wise to monitor progress toward the issuance of the new FAR Part 40 and take advantage of any opportunities for public review and comment.
NIST Releases Additional Draft Volumes of Its Practice Guide for Zero Trust Architecture
On August 9, 2022, the NIST Cybersecurity Center of Excellence (NCCoE) issued preliminary draft Volumes C and D of the practice guide for its zero trust architecture (ZTA) implementation project under the Cyber EO. This guide summarizes how the NCCoE and its collaborators use commercially available technology to build interoperable, open standards-based ZTA implementations that are consistent with the concepts and principles in NIST SP 800-207, Zero Trust Architecture. Draft Volume C focuses on assisting IT professionals in designing and improving information systems to incorporate ZTA, while draft Volume D focuses on “Functional Demonstrations” of use cases of ZTA implementation. These use cases are: “Discovery and Authentication of IDs, Assets, and Data Flows”; “Enterprise ID Access”; “Collaboration: Federated -ID Access”; “Other-ID Access”; “No-ID Access”; and “Confidence Level.” NCCoE collected public comments on the draft through September 9, 2022, and is expected to revise the drafts based on those comments.