Stung by the Solar Winds supply chain hack, the U.S. federal government is requiring its technology vendors to attest they use software development practices intended to pare down the number of vulnerabilities exploited by hackers.
A Wednesday directive from the White House’s Office of Management and Budget also tells federal agencies they may ask for an inventory of the components used in applications when they serve critical functions – what’s known as a software bill of materials.
The guidance implements a 2021 executive order from President Joe Biden made in the wake of the Russian hack that embedded malicious code into an update of SolarWinds’ network management Orion software. The attack affected nine federal agencies.
A globally dispersed supply chain underpinning the IT industry has long provoked concerns about threat actors and zero day-vulnerabilities, and the Solar Winds incident threw those concerns into high relief. The directive “will ensure that millions of lines of code that underpin federal agencies’ work are built with industry security standards in place,” wrote Chris DeRusha, federal chief information security officer, in a White House blog post. Allowing tech companies to self-attest their compliance with secure software development practices is a compromise that doesn’t force the private sector into burdensome compliance efforts, Grant Schneider tells Information Security Media Group.
Self-attestation “is a bit of a compliance activity, but it’s a pretty light compliance activity.” OMB “isn’t mandating an audit or third party assessment,” says Schneider, a former federal CISO and Information Security Media Group contributor. A third-party assessment is optional and reserved for critical functions, the OMB directive says. It also says that the Federal Acquisition Regulatory Council, the multi-agency body that maintains the very large set of rules governing federal buying, plans to propose a uniform standard self-attestation form.
Adherence to the National Institute of Standards and Technology’s Secure Software Development Framework won’t guarantee defect-free code. It probably wouldn’t even have stopped the Solar Winds hack, Schneider says. The attackers in that incident “clearly had an objective that was very targeted and they were willing to expend pretty significant resources getting there.”
The framework should nonetheless provoke within the private sector a review of development practices with the goal of ensuring that products are built safety, he says.
More work remains on how to make software bills of materials useful for federal agencies, Schneider said. “Randomly collecting them and putting them on a shelf” doesn’t serve a useful purpose and puts SBOMs in danger of becoming a compliance exercise.
At minimum, SBOMs should be produced and ingested in machine-readable format with their use cases solidified so federal officials understand their purpose, whether it’s procurement transparency or component vulnerability assessments, Schneider says.