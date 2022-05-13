In May 2021, President Biden issued Executive Order 14028 "Improving the Nation's Cybersecurity". This order provided key strategic cybersecurity objectives for Executive Branch agencies as well as their supply chains. The Order included directives for the National Institute of Standards and Technology (NIST) to establish standards and requirements for software security and to include these as contract requirements in the Federal acquisition process beginning in 2022. On February 4, 2022, NIST published Special Publication 800-218 "Secure Software Development Framework (SSDF)" V1.1 ("NIST SP 800-218v1.1"), which seeks to establish "a core set of high-level secure software development practices that can be integrated into [software producers' software development processes]". This article summarizes the newly published requirements and the impact on companies that produce software for the U.S. Federal Government.

Background: The Roadmap for Enhancing Software Supply Chain Security

Executive Order 14028 set forth an aggressive timeline for the Federal Government to establish and enforce new software development guidelines to mitigate the risk of future software supply chain attacks such as the SolarWinds breach:

Table 1 - EO 14028 Timeline for Software Development Security

NIST SP 800-218 at-a-Glance

NIST SP 800-218v1.1, The Secure Software Development Framework (SSDF), was written to establish standards for secure development of software through the full Software Development Life Cycle (SDLC). The objective of the SSDF is to "shift security left" in the SDLC, to incorporate security considerations early and often throughout the software suppliers' internal software development processes.

The SSDF is organized along key Practices, Tasks supporting these Practices, Notional Implementation Examples for such Tasks, and References:

Practices - 19 high-level organizational outcomes resulting from the implementation of various tasks, which are organized into the following four (4) groups. Prepare the Organization (PO) - Practices designed to ensure that people, processes, and technology are prepared to perform secure software development. Protect the Software (PS) - Practices designed to protect all components of the software from tampering or unauthorized access. Produce Well-Secured Software (PW) - Practices designed to produce well-secured software with minimal security vulnerabilities. Respond to Vulnerabilities (RV) - Practices to identify residual vulnerabilities in software releases and to respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.

19 high-level organizational outcomes resulting from the implementation of various tasks, which are organized into the following four (4) groups. Tasks - 42 specific activities to be performed by organization personnel to perform the 19 practices.

42 specific activities to be performed by organization personnel to perform the 19 practices. Notional Implementation Examples - Examples of potential tools, processes, or other methods that could be used to implement a task.

Examples of potential tools, processes, or other methods that could be used to implement a task. References - References to similar or source controls from other established frameworks such as NIST SP 800-53, ISO/IEC 27001, OWASP, NIST CSF, etc.

As an example, the task below belongs to the Protect the Software (PS) practice and calls for the collection and sharing of provenance data shared across the supply chain through a Software Bill of Materials (SBOM).

Notably, the task also makes reference to the NTIA's Minimum Elements for a Software Bill of Materials (SBOM) and to the section on "Emerging Software Supply Chain Concepts" in NIST SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations which cover the foundational, sustaining and enhancing capabilities related to this practice.

What's Next and What Suppliers Should be Doing Now

While the Federal Acquisition Regulation (FAR) has not yet been updated to include any specific clauses relating to NIST SP 800-218, Executive Order 14028 requires:

Federal agencies to now procure any new software in accordance with the new NIST Framework. In fact, the Office of Management and Budget issued a press release on March 7th advising that "Federal agencies must begin to adopt the SSDF and related guidance effective immediately, tailoring it to the agency's risk profile and mission." Although NIST issued guidance to federal agency procurement staff simultaneously with the release of NIST SP 800-218v1.1, OMB's press release notes that the OMB intends to engage the private sector on how to best implement requirements before directing agencies to require attestations regarding compliance with the new NIST framework.

That the process to amend FAR to include such clauses and requirements for companies supplying software to the U.S. government begin in Q2 2022.

The bottom line is that the federal government has already started the process to enforce the adoption of the newly-published NIST framework, and future software procurement by the federal government will be contingent on vendors attesting to compliance with the framework. Accordingly, companies that develop software supplied to the U.S. Government should begin engaging with the published NIST requirements and begin documenting and/or re-engineering their software development practices and processes to ensure alignment with the SSDF.

