Steps Governments Are Taking for Software Security

Among other things, President Biden's May 12, 2021 Executive Order (EO) on Cybersecurity seeks to improve the security of software used by the federal government. See https://lnkd.in/e399Y2g. The EO contemplates "contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with" certain security requirements, including "conformity with secure software development practices" and ensuring "the integrity and provenance of open source software used within any portion of a product." On March 11, CISO and OMB released a Secure Software Development Attestation Form (the Form) for software producers to comply with this new requirement. See https://lnkd.in/ea3aSSvQ. Yesterday, CISA went "live" with its "Repository for Software Attestation and Artifacts." See https://lnkd.in/erXttezB. Among other things, the Form requires "the Chief Executive Officer (CEO) of the software producer or their designee, who must be an employee of the software producer and have the authority to bind the corporation" to attest to the existence of specific controls summarized below: (1) The software is developed and built in secure environments (including with environment segregation; regular logging, monitoring, and auditing trust relationships used for authorization and access; MFA and conditional access; continuous monitoring of operations and alerts; etc.); (2) The software producer makes a "good faith" effort to maintain trusted source code supply chains by employing automated tools or comparable processes to address the security of internal code and third-party components and manage related vulnerabilities; (3) The software producer maintains provenance for internal code and third-party components incorporated into the software to the greatest extent feasible; (4) The software producer employed automated tools or comparable processes that check for security vulnerabilities. The form also requires the software producer to attest that "it will notify any agency to which it has submitted this form if and when the producer ceases to make consistent use of the practices identified above in developing the software." Because the attestor is generally not required to provide any evidence or detail to support this attestation, it may be tempting for some software producers to "hold their breath" and just attest. Please do NOT do this. The form makes clear that "[w]illfully providing false or misleading information may constitute a violation of 18 U.S.C. § 1001, a criminal statute." The DOJ prosecutes Section 1001 violations so frequently that there are "scores of reported cases" on such prosecutions. See https://lnkd.in/ekXK_Bte. If you find yourself required to fill out this attestation, but are not yet in a position to do so truthfully, please discuss your options with competent counsel. This attestation is definitively not worth committing a federal crime over.

'Biden's proposal calls for tougher standards for secure software development, the ability to verify that those standards have been met, and a process for the Cybersecurity and Infrastructure Security Agency (CISA) to evaluate the process, according to the draft. Vendors will have to provide secure software development documentation to be evaluated and validated by CISA through the agency's software attestation program. Attestations that "fail validation" could be referred to the attorney general for “action as appropriate,” according to the draft... ...The order also mandates the development of guidelines to securely manage access tokens and cryptographic keys used by cloud providers. Chinese-linked hackers abused this method to access email accounts used by top U.S. government officials in May of 2023, Microsoft said at the time.' https://lnkd.in/g4EV-hZM

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, signed on January 16, 2025, aims to address growing cyber threats, particularly from adversarial countries like China. It builds on previous cybersecurity actions, focusing on securing vital digital infrastructure, software, and cloud services. Key directives include improving software supply chain transparency, strengthening software security practices for federal systems, and fostering innovation in cybersecurity technologies. The order mandates the development of secure software practices and calls for greater accountability from software providers to protect U.S. infrastructure and national security. Improved Software Supply Chain Security: The order focuses on strengthening security measures throughout the software supply chain, requiring greater transparency and accountability from software providers to reduce vulnerabilities in critical infrastructure. Enhanced Cybersecurity for Federal Systems: It mandates the development and adoption of secure software practices for federal systems to ensure that government networks and applications are resilient against cyber threats. Fostering Cybersecurity Innovation: The order promotes the development and implementation of advanced cybersecurity technologies and innovations to stay ahead of evolving cyber threats, enhancing national security and infrastructure protection. https://lnkd.in/eqxfwmfx

Biden's massive cybersecurity executive order is out. Here's a newsflash that apparently took years to figure out 🙄: - Self-attested cybersecurity is a total policy failure. - Voluntary "commitments" to cybersecurity aren't worth a plug nickel. - As a result, mandatory 3rd-party verification is coming for everyone. From the order (you should read it - link in comments): "The Federal Government and our Nation’s critical infrastructure rely on software providers. Yet insecure software remains a challenge for both providers and users and makes Federal Government and critical infrastructure systems vulnerable to malicious cyber incidents. In some instances, providers of software to the Federal Government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise. 𝗧𝗵𝗲 𝗙𝗲𝗱𝗲𝗿𝗮𝗹 𝗚𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁 𝗻𝗲𝗲𝗱𝘀 𝘁𝗼 𝗮𝗱𝗼𝗽𝘁 𝗺𝗼𝗿𝗲 𝗿𝗶𝗴𝗼𝗿𝗼𝘂𝘀 𝘁𝗵𝗶𝗿𝗱-𝗽𝗮𝗿𝘁𝘆 𝗿𝗶𝘀𝗸 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀 𝗮𝗻𝗱 𝗴𝗿𝗲𝗮𝘁𝗲𝗿 𝗮𝘀𝘀𝘂𝗿𝗮𝗻𝗰𝗲 𝘁𝗵𝗮𝘁 𝘀𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗽𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 𝘁𝗵𝗮𝘁 𝘀𝘂𝗽𝗽𝗼𝗿𝘁 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗚𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗮𝗿𝗲 𝗳𝗼𝗹𝗹𝗼𝘄𝗶𝗻𝗴 𝘁𝗵𝗲 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀 𝘁𝗼 𝘄𝗵𝗶𝗰𝗵 𝘁𝗵𝗲𝘆 𝗮𝘁𝘁𝗲𝘀𝘁." By ~Summer 2025, the agency members of the FAR Council "are strongly encouraged to consider issuing 𝗮𝗻 𝗶𝗻𝘁𝗲𝗿𝗶𝗺 𝗳𝗶𝗻𝗮𝗹 𝗿𝘂𝗹𝗲 … to amend the Federal Acquisition Regulation (FAR) to implement … contract language contract language requiring software providers to submit to CISA through CISA’s Repository for Software Attestation and Artifacts (RSAA)." "𝗧𝗵𝗲 𝗡𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗖𝘆𝗯𝗲𝗿 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿 𝗶𝘀 𝗲𝗻𝗰𝗼𝘂𝗿𝗮𝗴𝗲𝗱 𝘁𝗼 𝗿𝗲𝗳𝗲𝗿 𝗮𝘁𝘁𝗲𝘀𝘁𝗮𝘁𝗶𝗼𝗻𝘀 𝘁𝗵𝗮𝘁 𝗳𝗮𝗶𝗹 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 𝘁𝗼 𝘁𝗵𝗲 𝗔𝘁𝘁𝗼𝗿𝗻𝗲𝘆 𝗚𝗲𝗻𝗲𝗿𝗮𝗹 𝗳𝗼𝗿 𝗮𝗰𝘁𝗶𝗼𝗻 as appropriate." It's not just software either: "Agencies need to integrate cybersecurity supply chain risk management programs into enterprise-wide risk management activities. Within 90 days of this order [OMB] shall take steps to require that agencies comply with the guidance in NIST Special Publication 800-161r1. OMB’s requirements shall address the integration of cybersecurity into the acquisition lifecycle through acquisition planning, source selection, responsibility determination, 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗲𝘃𝗮𝗹𝘂𝗮𝘁𝗶𝗼𝗻, contract administration, and performance evaluation." Anyways, if you thought/think CMMC was an anomaly, you were/are wrong. It's just one (early) manifestation of the government's larger policy/regulatory direction. "Managing cybersecurity risks is now a part of everyday industry practice and should be expected for all types of businesses. Minimum cybersecurity requirements can make it costlier and harder for threat actors to compromise networks."

A quick summary of President Biden's Executive Order on #cybersecurity. A lot to digest here and much for corporate directors to understand. A deeper analysis is coming on Digital Directors Network #riskmanagement #CIO #CISO The EO's key components are heavily entwined with systemic cybersecurity risk governance and management. In addition, the EO calls out China as the most active and persistent cyber threat to the U.S, critical infrastructure and the private sector. It emphasizes the need for improved cybersecurity measures to protect against threats from all adversarial countries, but particularly China. While some of the EO's key points are specific to federal systems, the issues being addressed should be understood and governed by private sector boardrooms as leading practices, e.g., the use of AI to enhance cyber defenses. In general, cybersecurity governance and management is rapidly developing and becoming more specific and nuanced. It requires MUCH more than a perfunctory approach within the boardroom by boardroom generalists. It needs director #cybersecurity expertise, and to be brought out from the audit committee for starters. Other EO headlines include: Software Supply Chain Security: The Federal Government will enforce secure software acquisition practices and require software providers to submit attestations and artifacts to ensure compliance with secure development practices. Federal Systems Cybersecurity: Proven security practices from the industry, including identity and access management, will be adopted to enhance threat detection capabilities across federal networks. Federal Communications Security: Strong identity authentication, encryption, secure internet routing, and encrypted DNS traffic will be implemented to protect federal communications from adversarial threats. Combating Cybercrime and Fraud: The order encourages the use of digital identity documents and "Yes/No" validation services to reduce identity fraud in public benefits programs, ensuring privacy and data minimization. Promoting Security with Artificial Intelligence: The Federal Government will accelerate the development and deployment of AI to enhance cyber defense, focusing on vulnerability detection, automatic patch management, and identifying malicious activity. More to come on this. And here's the full EO. Fay Feeney International Corporate Governance Network (ICGN) Council of Institutional Investors

=0 The new US executive order is pretty interesting for developers: https://lnkd.in/gEeJ9HCK Highlights: Secure software development practices are not sufficient to address the potential for cyber incidents from resourced and determined nation-state actors. To mitigate the risk of such incidents occurring, software providers must also address how software is delivered and the security of the software itself. The Federal Government must identify a coordinated set of practical and effective security practices to require when it procures software. Open source software plays a critical role in Federal information systems. To help the Federal Government continue to reap the innovation and cost benefits of open source software and contribute to the cybersecurity of the open source software ecosystem, agencies must better manage their use of open source software. Within 150 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Energy; the Secretary of Homeland Security, acting through the Under Secretary for Science and Technology; and the Director of the NSF shall prioritize research on the following topics: (i)  human-AI interaction methods to assist defensive cyber analysis; (ii) security of AI coding assistance, including security of AI-generated code;