The News: A top federal cybersecurity official recently indicated that the Office of Management and Budget is preparing new cybersecurity guidance for federal agencies to be released in the coming weeks. The forthcoming requirements seem likely to focus on software supply chain concerns. Read more from NextGov here.
Upcoming Federal Cybersecurity Guidance Likely to Address Software Supply Chain Concerns
Analyst Take: During a recent NextGov event, Steven Hernandez, a top federal cybersecurity official, revealed that a new mandate on software supply chain security is in the works at the Office of Management and Budget. The federal cybersecurity guidance will help agencies understand the provenance of any software that is used on government networks and hold vendors accountable for its security, Hernandez indicated. New guidelines are expected to be released within the next few weeks.
An executive order in May 2021 established the National Institute for Standards and Technology’s Secure Software Development Framework, which is likely to be strengthened and reinforced by the new federal cybersecurity policy guidelines. The framework aims to address software supply chain concerns by requiring key information from vendors, and upcoming guidance may include third-party verification of vendor information among other updates to existing federal cybersecurity practices.
Software Supply Chain Concerns in Federal Cybersecurity
In the wake of the 2020 SolarWinds hacking incident and recent attention to critical vulnerabilities in log4j, an open-source software library, federal cybersecurity concerns have driven an increase in new policies and requirements for agencies and their vendors. Cyber supply chain risk management is a key aspect of federal cybersecurity, and guidance has previously focused on ensuring the security of software through the supply chain by maintaining inventories of software programs and the provenance of the code contained within. This is known as the Software Bill of Materials (or SBoM), and future guidance is expected to require SBoM information from vendors in a machine-readable format to allow for streamlined responses to incidents or vulnerabilities.
Advancement in federal cybersecurity practices is always good news, as the ability for federal agencies to work quickly and securely is vital to national security. It’s safe to say that no one wants to see another SolarWinds incident or malicious data breach that compromises the functionality of our federal agencies or private firms. As technology advances, federal cybersecurity efforts must keep pace in identifying and eliminating vulnerabilities before they result in unforeseen consequences. I look forward to the release of the OMB’s new guidelines and will be following the story as it develops.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.
Other insights from Futurum Research:
Image Credit: NextGov
A serial entrepreneur with a technology centric focus, Shelly has worked with some of the world’s largest brands to lead them into the digital space, embrace disruption, understand the reality of the connected customer, and help navigate the process of Digital Transformation. Read Full Bio.