Government to Implement New Security Standards for IT Vendors, Official Says
The Biden administration will soon roll out new security standards for its information technology vendors, according to a senior cybersecurity official.
Brandon Wales, director of the Cybersecurity and Infrastructure Security Agency, hinted at provisions related to software development standards, particularly for products likely to have increased privileges inside networks, Nextgov reported Tuesday.
According to Wales, the new procurement standards will elevate security not only for the government but also for the private sector.
“The government wants to use its unique market position to help shape that market and improve the security of the vendors that are providing software products and services, not just to the federal government but to the entire community,” Wales said during an event hosted by the Cyber Initiatives Group.
In a recent hearing on the SolarWinds hack, Wales told lawmakers that the United States should focus on its general approach to supply chain security rather than on avoiding foreign vendors altogether.
The SolarWinds attack, which was discovered in December 2020, reportedly compromised the networks of at least nine federal government agencies and hundreds of American companies.
During the hearing, Wales said that the government’s upcoming rules might include vulnerability disclosure policies that would encourage security researchers to seek and report weaknesses in their offerings.
Eric Noonan, CEO of CyberSheath, recently wrote a column highlighting the advantages of requiring technology companies to disclose data breaches in exchange for limited legal liability. The suggestion came up in the first Senate Intelligence Committee hearing on the SolarWinds attack.
Noonan said that while granting businesses limited legal liability is a reasonable incentive, companies should also be required to meet minimum cybersecurity standards.
Tags: Biden administration Brandon Wales CISA cybersecurity Eric Noonan information technology IT Nextgov security software development SolarWinds supply chain security vulnerability disclosure