Sept 14 — In the US, the White House is releasing new guidelines pertaining to how federal agencies and government contractors can comply with President Biden’s executive order requiring common cyber security standards.
Prior to the executive order, the only criteria determining the quality of software was whether or not it functioned as advertised.
Why this is important
The new guidelines stand to affect the security of government systems. In turn, this impacts the federal government’s ability to provide services, and may also affect billions of dollars worth of federal contracts. As a result, any organization that intends to do business with the federal government may now need to meet certain government standards.
Given the volume of cyber threats facing federal agencies, the federal government needs to build resilience into systems in a structured, thoughtful and effective way. This will help safeguard the American public and American government resources. “By setting…secure software standards, we’re benefiting everybody,” said an unnamed White House official.
The new guidelines
The new guidelines require federal agencies to ensure that software is developed in accordance with two documents published earlier this year. One is entitled “Secure Software Development Framework” (SSDF), while the other is entitled “Software Supply Chain Security Guidance.”
The guidelines require for agencies to obtain a ‘self-attestation’ from software providers, stating that the providers followed best practices during software development. According to official documents, a software producer’s self-attestation serves as a ‘conformance’ statement. However, the guidelines leave room for federal agencies to set more stringent security requirements as they see fit.
May 2021 executive order
In May of last year, Mr. Biden released an executive order outlining a wide variety of new cyber security mandates. These included requiring agencies to employ security tools, such as encryption, and the development of a Cyber Safety Review Board to analyze major cyber attacks. The order followed on the heels of the SolarWinds breach, which enabled foreign spies to infiltrate at least nine different US federal agencies.
Experts indicate that it may take time for all of the guidance to become reality. Deadlines included in memos and guidelines range from three months to two years. In the end, the frameworks will help US agencies build transparency, helping America to sustain national, social and economic security.
For more information, please visit The Washington Post. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.