This is the nineteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through October 2022. This blog describes key actions taken to implement the Cyber EO during November 2022.
I. CISA, NSA, and ODNI Release Software Supply Chain Security Guide for Customers
On November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third in a series of recommended practice guides for securing the software supply chain (the “Customer Guide”). The first practice guide in this series – published in September 2022 – was for software developers, and the second – published in October 2022 – was for software suppliers. Each of the three guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.
The Customer Guide identifies key supply chain security objectives for software customers (acquirers) and recommends several broad categories of practices to achieve those objectives including security requirements planning, secure software architecture, and maintaining the security of software and the underlying infrastructure (e.g., environment, source code review, test). For each of these practice categories, the guide identifies examples of scenarios that could be exploited (threat scenarios) and examples of controls that could be implemented to mitigate those threat scenarios.
Section 2.1.3 of the Customer Guide is notable, and identifies objectives, scenarios, and mitigations for software acquisition contracts. This section highlights contracts that would be considered higher risk including (i) those with suppliers or sources under foreign control; (ii) contracts with incomplete security and supply chain requirements; (iii) missing software bills of material (“SBOMs”); (iv) suppliers with poor security hygiene, including those that have experienced a compromise that could impact their development cycle; and (v) suppliers who alter or substitute components in the product prior to package signing and hashing.
To address some of these concerns, the guide recommends that such contracts incorporate a number of provisions designed to reduce supply chain risks. Specific recommendations include:
- Incorporation of forthcoming FAR/DFARS provisions for self-attestation from each supplier who provides products to U.S. Government customers that provide visibility into the provenance of each software product delivered;
- A timeline or checklist of key steps that comprise the supplier’s security processes that were performed in the development of the product;
- Signature by the supplier-designated official responsible for the security hygiene of the development process and infrastructure; and
- A requirement for the supplier to provide cryptographic security for hashing/signature infrastructure of its product distribution system/method.
The Customer Guide also recommends that customers require suppliers to inform them on how to verify the integrity of all software components, including through:
- Requiring the use of a hash or signature or similar method to ensure the integrity of each component and requiring each supplier to inform the customer on how to verify the integrity of the components;
- Requiring that all artifacts sent by the supplier be in a standardized SBOM format;
- Providing SBOMs for all upgrades;
- Ensuring newly issued SBOMs incorporate all changes to the product baseline;
- Providing continuous reporting for all of the supplier’s key attributes, such as its ownership, geolocation and foreign controls, as well as for any changes of the key attributes; and
- Notifying the customer of cyber incidents and investigations, mitigations, and impacts to the product or the development environment of the product.
II. NIST Announces Project to Develop Guidance for Using DevSecOps Practices to Secure Software
On November 19, 2022, the NIST National Cybersecurity Center of Excellence (NCCoE) released a document, titled “Software Supply Chain And Devops Security Practices: Implementing a Risk-Based Approach to DevSecOps,” that describes its planned project to develop and document risk-based DevSecOps practices to secure software supply chains. The document defines “DevSecOps” as the process of integrating security practices developed by a security team into existing “pipelines” such as continuous integration/continuous delivery (CI/CD) and existing toolchains used by developers and operators. The document notes that the “project’s objective is to produce practical and actionable guidelines that meaningfully integrate security practices into development methodologies.”
The DevSecOps project will ultimately result in the issuance of a publicly available NIST Cybersecurity Practice Guide that industry, government, and other organizations can use when choosing and implementing DevSecOps practices in order to improve the security of the software they develop and/or operate. This guide will address how such organizations can generate artifacts as a by-product of their DevSecOps practices to support the organization’s self-attestations and compliance with applicable NIST and cybersecurity supply chain risk management practices.
III. DOD Issues Its Zero-Trust Strategy and Roadmap
On November 22, 2022, the Department of Defense (DOD) released its Zero Trust strategy for the next five years (FY23 – FY27). According to the strategy, Zero Trust “uses continuous multi-factor authentication, micro-segmentation, advanced encryption, endpoint security, analytics, and robust auditing, among other capabilities, to fortify data, applications, assets, and services to deliver cyber resiliency.” DOD’s strategy identifies four strategic principles, seven trust pillars, forty-five capabilities, and 152 activities involved in migrating DOD IT Systems to Zero Trust. The strategy requires that DOD components reach the targeted level of Zero Trust—satisfaction of 91 of the 152 activities—by FY27, subject to a waiver process administered by DOD’s Zero Trust Portfolio Management Office. Among others, the document lists “[i]ncorporate ZT requirements into DoD-wide and Component-specific strategies, policies, frameworks, and directives, and contracts by end of FY2023 and next iteration through FY 2027” as an objective of the strategy.