The White House released cybersecurity guidance on Wednesday for software vendors that served as an extension of an executive order President Joe Biden signed in 2021.
Biden signed “Improving the Nation’s Cybersecurity” in May of 2021, which outlined plans to modernize the United States’ cybersecurity approach and implement techniques like multifactor authentication. One part of the executive order referenced plans to provide guidelines for the software purchased and deployed within government networks, which was contained in Wednesday’s memorandum.
In a White House statement also posted on Wednesday, Federal CISO and Deputy National Cyber Director Chris DeRusha said that while the only criteria of quality for a piece of software used to be whether it worked as advertised, technology today must be developed in a way that makes it resilient and secure.
“The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered,” he said.
Biden’s cybersecurity guidance also required federal government agencies to acquire a self-attestation form from a software vendor confirming that the product is compliant with security guidance from the National Institute of Standards and Technology (NIST) before using any new software.
Depending on the agency, the software vendor might also have to prove compliance through artifacts including a software bill of materials (SBOM). Additionally, the vendor might be required to provide evidence that it participates in a vulnerability disclosure program.
While the executive order and guidelines don’t legally require private vendors to release secure and compliant software, DeRusha said this action was necessary following the SolarWinds supply chain attack in 2020. This cyberattack led to several government agencies falling victim to data breaches.
“This incident was one of a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector,” added DeRusha in his statement.