February 27, 2023
Software supply chain hacks are now the most prevalent form of cyberattack. According to the latest Verizon Data Breach Investigations Report, 62% of system intrusion incidents came through a third-party, highlighting the difficulties that many organizations – including federal agencies – face in securing their supply chain. A recent flurry of legislative activity demands that CISOs step-up their supply chain due diligence – and fast.
Key among these directives and guidance is the Enduring Security Framework (ESF). Developed by NSA, ODNI, and CISA, and modeled on the NIST Secure Software Development Framework (SSDF), ESF aims to harmonize previously disparate Cyber Supply Chain Risk Management (C-SCRM) policies and procedures across the federal government. A key tenet of ESF – and also a requirement of a new White House Memo (M-22-18) – is vendor self-attestation to software developed in accordance with NIST standards.
Yet, despite directives from the highest levels of government, questions remain:
Does every ESF recommendation and control have to be met by software vendors?
Are some C-SCRM practices and standards a priority over others?
Will OMB require point-in-time or continual attestation?
When will the standardized self-attestation form be released?
Until we have answers, one thing is clear – software supply chain security can’t be solved by directives and guidelines alone. The reality is, a threat can only truly be mitigated through increased cooperation between the public and private sectors. As head of government affairs at SolarWinds here’s my take on how the agencies and industry can join forces to collaborate.
Typically, software purchases are one-time transactional exchanges. After all, the goal is to make procurement, installation, and deployment as quick and efficient as possible. In this model, relationships between the software vendor or supplier and the procuring agency aren’t nurtured. It’s an approach I believe needs to change.
To protect our shared infrastructure from evolving threats, federal security leaders must build lasting and meaningful relationships with software vendors.
Creating these partnerships is the future of C-SCRM in the federal government. Indeed, following the 2020 SUNBURST hack, we set out on a mission to lead the way to safer IT with our Secure by Design initiative. This effort included launching a new model for secure software development to strengthen the integrity of build environments.
Crucially, we also committed to establishing new standards in information-sharing and public-private partnerships. Government security leaders should communicate frequently and continuously with their industry counterparts about enterprise software security, the development process, and adherence to ESF standards. When it comes to their vendors, Federal CISOs must also have a dedicated person to call at any time – not just a toll-free number.
Self-attestation may be mandated, but it won’t fix everything. After all, most agencies lack the resources to evaluate every software vendor’s self-declaration, opening the doors to abuse. The compliance framework may also seriously hinder the procurement process.
Until OMB issues further guidance, agencies can screen their suppliers’ security measures using a set of seven questions developed by our CISO, Tim Brown, and DHS CISO Ken Bible in the aftermath of the SUNBURST. Those questions are:
How do your vendors secure software code?
What type of environment do you build your software in?
Have they established secure software development framework roles and responsibilities?
Are they using automation and DevSecOps to automate developer and security toolchains?
What policies and measures do they have in place to prevent malicious or vulnerable software from affecting their customer base?
How are they monitoring risk in their own supply chain?
If a breach occurs, what’s their process for notifying customers?
Security is an ongoing journey with no finish line, but federal agencies and their vendor ecosystem can become smarter and more cyber resilient if they are transparent, collaborate, and learn from previous attacks.