It’s finally happened. For everyone who has been trying to figure out how to comply with President Biden’s Executive Order on Cybersecurity (EO 14028), you now have the answer—sort of.
As a background, for many people, the concept of software supply chain security entered their world because of EO 14028. In that document, President Biden outlined some significant areas for improvement when it comes to cybersecurity practices. From a software supply chain perspective, the concept of a software Bill of Materials (SBOM) suddenly became a mainstream idea. As with all executive orders, the president instructed heads of agencies to perform specific tasks in order to achieve the goals of the executive order.
For the first year, a series of technical problems were solved within the timeline provided in the executive order. This progress led many to believe that we would quickly know what contractual obligations the U.S. government (USG) might impose upon suppliers of software and software-enabled devices to the USG. As of this writing, that contract language hasn’t been published, and the delay fostered a fear of what the contract terms might be. Of course, when fear gets involved, humans instinctively try and find solutions to reduce the perceived risk.
This led to the mistaken belief that an SBOM was a primary requirement for “EO compliance.” After all, if it weren’t important, why did this new technical term appear 11 times in a presidential executive order? Given that the National Telecommunications and Information Administration (NTIA) was tasked under EO 14028 to define the minimum specifications for an SBOM, a reasonable starting point for most organizations is to create SBOMs for the software they produce. But generating SBOMs isn’t software supply chain risk management, and having an SBOM doesn’t meet all of what was outlined in EO 14028.
In September 2022, we learned a bit more about what might be required to do business with the USG when the Office of Management and Budget (OMB) released memo M-22-18. In that memo, OMB outlined that it expected software providers to the USG to self-attest to the application development, security and testing that was performed on any software subject to procurement by the USG. OMB tasked the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to create the self-attestation criteria form. Further, in January, the General Services Administration (GSA), issued memo MV-23-02, which stated that GSA expected to start collecting self-attestations starting in June 2023 for any new USG procurement.
There’s a ton of detail in all that background, but in short, OMB effectively stated that conformance to the NIST Secure Software Development Framework (SSDF) would be part of its self-attestation requirement and that GSA was going to be enforcing it. So while everyone was running around trying to figure out how to create an SBOM, OMB upped the ante by expecting suppliers to self-attest to how they develop and test the software they deliver to the USG.
That’s a big deal, and if your development teams haven’t been following the guidance in the SSDF, or some of the frameworks the SSDF directly references, then it’s going to be hard to self-attest to conformance with the SSDF. The good news for those of you for whom the SSDF is a new idea is that CISA and OMB aren’t requiring you to conform to every activity in the SSDF—yet. In the draft self-attestation form published by CISA today, only 30 of the SSDF tasks are explicitly required. That of course doesn’t mean that you shouldn’t be building a plan to fully follow the SSDF.
The really good news is that Black Duck has been paying attention to the evolution of cybersecurity expectations related to EO 14028 since it was first published. We have a team with dedicated roles related to EO 14028 activities. They are helping ensure that whether our clients need tactical or strategic solutions for the new software supply chain risk management world we all find ourselves in, Black Duck is directly engaged with those who are creating these new standards.
Our tactical solutions include all the AppSec tooling that has positioned Black Duck as the leading provider for all of Gartner’s critical AppSec capabilities.
Our strategic solutions are expanding to include audited SBOM services for when an SBOM must be provided as part of a regulatory or contractual obligation, process management to support client SBOM management efforts, and—most importantly to today’s self-attestation announcement—an SSDF Readiness Assessments to meet SSDF compliance and attestation objectives.
With Black Duck, you have a partner that is capable of helping you navigate the realities and complexities of software supply chains while directly addressing the business risk from those supply chains.