This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively. This blog summarizes key actions taken to implement the Cyber EO during October 2021.
Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline.
NIST Publishes Preliminary Guidelines for Enhancing Software Supply Chain Security
Section 4(c) of the Cyber EO directs NIST to publish preliminary guidelines for enhancing software supply chain security by November 8, 2021. NIST issued these preliminary guidelines on October 28, 2021 as part of a second draft of NIST Special Publication 800-161 Revision 1, “Supply Chain Risk Management Practices for Systems and Organizations.” The preliminary guidelines, which are specifically addressed in Appendix F to Draft Revision 1, but are also incorporated throughout the document, describe key cybersecurity supply chain risk management (C-SCRM) practices for managing exposures to cybersecurity risks, threats, and vulnerabilities throughout the supply chain and developing appropriate response strategies presented by the supplier, the supplied products, services, and the supply chain. The guidelines also provide a general prioritization of such practices (i.e., Foundational, Sustaining, and Enabling) for enterprises to consider as they implement C-SCRM.
In preparing the updated draft following the release of the Cyber EO, NIST translated the Cyber EO’s Section 4 software supply chain directives into three targeted initiatives:
- Critical Software Definition and Security Measures;
- Recommended Minimum Standard for Vendor or Developer Verification of Code; and
- Cybersecurity Labeling for Consumers: Internet of Things (IoT) Devices and Software.
NIST will accept comments on the preliminary guidelines through December 5, 2021. The Cyber EO requires NIST to publish final guidelines for ensuring software supply chain security by February 2022. While these guidelines will initially be applicable only to federal agencies, the head of cyber response and policy at the National Security Council, Jeff Greene, stated recently that a goal of the Cyber EO was “spillover” of NIST’s software security guidelines to private entities, presumably (in the case of government contractors and subcontractors) through the use of standardized FAR clauses contemplated elsewhere in the Cyber EO.
NIST Announces Virtual Workshop on November 8 to Discuss Artifacts Used in Developing Secure Software
Section 4(e) of the Cyber EO requires NIST to issue guidance identifying practices that enhance the security of the software supply chain, including standards, procedures, or criteria regarding secure software development environments and providing “artifacts” that demonstrate conformance to such standards, processes, or criteria. Pursuant to Section 4(e), NIST released a draft Secure Software Development Framework (Draft SSDF) at the end of September 2021. The Draft SSDF bears the title Draft NIST Special Publication 800-218, Version 1.1, and consists of a core set of high-level secure software development practices that can be integrated into software development life cycles. The Draft SSDF requests comments by November 5, 2021, including responses to the questions “What types of artifacts and evidence can be captured, documented, and shared publicly as byproducts of implementing the secure software development practices?” and “Are there examples [of such artifacts and evidence] you can share?”
On October 28, 2021, NIST announced that it would hold a virtual workshop on November 8, 2021 to solicit input about the types of artifacts of secure software development that software producers can share publicly with software acquirers. The workshop will also cover approaches for “attesting to following specific secure software development practices.” NIST will use the input gathered at this workshop to finalize the SSDF, which then will be incorporated into the guidelines for enhancing software supply chain security discussed above.
NIST Issues Three Guidance Documents on Cloud Security
On October 28, 2021, NIST issued three reports related to cloud security: (1) the Second Draft NIST Internal Report (IR) 8320, “Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases”; (2) Draft NIST IR 8320B, “Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms”; and (3) Draft NIST Publication (SP) 1800-19, “Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments.” Each of these reports provides guidance on practices, techniques, and technologies for securing data in connection with various cloud services. NIST is accepting comments on all three reports until December 5, 2021.