Software security
guidance
Biden Administration Eyes New Software Security Guidance for Agencies
The Office of Management and Budget plans to release new secure software guidance to help federal agencies implement President Joe Biden’s cybersecurity executive order. The guidance will revolve around applying standards to the software that government agencies buy.
According to Federal Chief Information Security Officer Chris DeRusha, the guidance is based on the Secure Software Development Framework and Software Supply Chain Security Guidance released by the National Institute of Standards and Technology in February. In a workshop hosted by NIST, DeRusha shared that the goal of issuing the new document is to incentivize vendors to adopt the new software development framework, Federal News Network reported.
DeRusha also said agencies should be proactive when it comes to cybersecurity and that they should follow Biden’s cybersecurity EO. According to the federal CISO, there must be an efficient approach to vendor attestation and federal verification.
The OMB is working with the Department of Homeland Security to provide recommendations to the Federal Acquisition Regulation Council on certain requirements for companies to be able to work with government agencies. These recommendations will include cybersecurity compliance and secure development practices. The recommendations are due May 12.
DHS CISO Kenneth Bible said during the same NIST event that federal CISOs want to improve the integrity, composition and provenance of the software they are using to ensure that vulnerabilities will be spotted. According to Bible, having a better understanding of software composition could prevent system vulnerabilities by improving code visibility.
Several industry representatives advocated for the guidance to take into account existing certifications and compliance standards. They are also calling for reciprocity and standardization to ensure that companies will not go through repetitive processes for multiple buying components.
Category: Cybersecurity