This is the twenty-eighth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through July 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during August 2023.
ONCD and Interagency Partners Publish a Request for Information (“RFI”) on Open-Source Software Security
On August 10, 2023, the Office of the National Cyber Director (“ONCD”) published a RFI seeking public comment on the Federal Government’s efforts to promote open-source software security as part of the Open-Source Software Security Initiative (“OS3I”). The RFI was published in collaboration with interagency OS3I partners, including the Cybersecurity and Infrastructure Security Agency (“CISA”), the National Science Foundation, the Defense Advanced Research Projects Agency, the National Institute of Standards and Technology (“NIST”), the Center for Medicare & Medicaid Services, and Lawrence Livermore National Laboratory. The RFI specifically seeks input on how the Federal Government “can lead, assist, or encourage other key stakeholders to advance progress” in open-source software security, including:
- How “the Federal Government [should] contribute to driving down the most important systemic risks in open-source software;”
- How “the Federal Government [can] help foster the long-term sustainability of open-source software communities;” and
- How “open-source software security solutions [should] be implemented from a technical and resourcing perspective.”
Comments are being accepted through November 8, 2023 at 5:00 pm ET and may be submitted through Regulations.gov.
FCC Seeks Input on Internet of Things (“IoT”) Labeling Program
On August 10, 2023, the Federal Communications Commission (“FCC”) published a Notice of Proposed Rulemaking (“NPRM”) regarding the creation of a voluntary cybersecurity labeling program for IoT devices. The FCC’s NPRM advances the Administration’s efforts – as outlined in the National Cybersecurity Strategy and Implementation Plan – to establish a program for placing a “U.S. Cyber Trust Mark” on qualifying products to “help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.” The NPRM states that the program would be based on criteria developed by NIST and poses questions for comment, including (among others):
- The “scope of devices or products for sale in the U.S. that should be eligible for inclusion in the labeling program;”
- How “to develop the security standards that could apply to different types of devices or products;” and
- How “to demonstrate compliance with those security standards.”
Public comments on the NPRM were due on or by September 25, 2023.
ONCD Extends Deadline for Regulatory Harmonization RFI
On August 16, 2023, ONCD extended the deadline for companies and stakeholders to submit feedback on its Request for Information regarding harmonizing cybersecurity regulations. Comments will now be accepted through October 31, 2023. ONCD had originally published its RFI on July 19, 2023, seeking public input “to understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements.” ONCD’s RFI on harmonization advances one of the initiatives outlined by the Administration in its National Cybersecurity Strategy Implementation Plan.
CISA Blog Categorizes Artificial Intelligence (“AI”) as Software that Must Be Secure by Design
In a blog post published on August 18, 2023, CISA explained that AI is simply “a type of software” that, “like any software system,  must be Secure by Design.” In other words, CISA explained, “manufacturers of AI systems must consider the security of the customers as a core business requirement, not just a technical feature, and prioritize security throughout the whole lifecycle of the product, from inception of the idea to planning for the system’s end-of-life.” Similarly, CISA’s blog stated that AI engineers “should apply existing community-expected security practices and policies for broader software design [and] software development[,]” including in regard to “AI software design, AI software development, AI data management, AI software deployment, AI system integration,” and many others. In particular, CISA claimed that “AI engineering continues to take on too much technical debt where they have avoided applying these practices.” CISA’s position that AI is software is another step in its promotion of Secure by Design principles following its guidance on Security-by-Design and Security-by-Default principles for technology manufacturers, which was released on April 13, 2023.
NIST Updates Draft Implementation Guidance for Zero Trust Architecture
On August 22, 2023, NIST’s National Cybersecurity Center of Excellence (“NCCoE”) published a third version of Volume D of its draft guidance on “Implementing a Zero Trust Architecture,” SP 1800-35D. Specifically, “Volume D provides a functional demonstration plan[,] and the updated version includes demonstration results for ten builds.” NCCoE is accepting comment on this guidance through October 9, 2023. And moving forward, NCCoE has stated that it “will continue to update the volumes of NIST SP 1800-35 appropriately as needed as [it] make[s] significant progress on the project.”
NIST Publishes Draft Guidance for Integrating Software Security Concepts into Cloud Operations
On August 30, 2023, NIST released an initial draft of NIST SP 800-204D, “Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipeline.” In accordance with the Cyber EO and NIST’s Secure Software Development Framework, the new guidance addresses “actionable measures to integrate the various building blocks of [software supply chain (“SSC”)] security assurance into [Continuous Integration / Continuous Delivery (“CI/CD”)] pipelines to prepare organizations to address SSC security in the development and deployment of their cloud-native applications.” In particular, the new guidance:
- Provides “a series of definitions for modeling and understanding software supply chains and their compromises;”
- Sets out “a broad understanding of common risk factors and potential mitigation measures with a particular focus on the software developer environment;”
- Describes “the background for CI/CD pipelines, the broad security goals of the processes involved, and the entities that need to be trusted;”
- “Outlines strategies for integrating SSC security assurance measures into CI/CD pipelines;” and
- Maps “the SSC security integration strategies for CI/CD pipelines to the SSDF’s high-level practices.”
CISA is accepting public comment on its initial draft through October 13, 2023, which can be submitted by email to email@example.com.