Recent security breaches via software have made supply chain security a priority across government. No longer is it enough to build security into a solution; now every product that is part of that solution is being examined for its security and risk. In response, the Biden Administration issued a Cybersecurity Executive Order that aims to provide more control over the content of code that comes in contact with government systems and infrastructure.
Specifically, the order aims to:
- Remove barriers to threat information sharing between government and the private sector
- Modernize and implement stronger cybersecurity standards in the federal government
- Improve software supply chain security
- Establish a cybersecurity safety review board
- Create a standard playbook for responding to cyber incidents
- Improve detection of cybersecurity incidents on federal government networks
- Improve investigative and remediation capabilities
Results are already being seen from this order issued in May. The National Institute of Standards and Technology (NIST) published a definition of "critical software" which allows for better policing of software supply chains. This definition outlines the types of technologies that must be prioritized for security evaluation and updates. It includes identity controls, endpoint protection, data backup, web browsers, and network and operational monitoring tools.
This published definition sets the stage for NIST to issue guidance on best practices for vendors to maintain the security and integrity of their software code. Vendors will have to confirm they meet the security rules before their solution can be used in a government system. Within a year, language will be added to the Federal Acquisition Regulation (FAR) to cover these new supply chain security practices.
There are a number of events and resources that can help keep you up to date on the evolving definition of security including the processes and policies in place to enforce these guidelines as required by the Federal Government.
- Government Contract Compliance (October 19, 2021; webcast) -- The best way to remain in compliance is to implement a proactive Government Compliance Program. This training covers the foundations of federal government contracting and keeps you up-to-date on emerging topics in the federal contracting industry.
- 2021 PSC Annual Conference (October 26-26, 2021; virtual or West Sulphur Springs, WV) -- Join government and industry leaders to address current issues facing the government professional and technology services industry.
- Information Technology and Cybersecurity: Significant Attention Is Needed to Address High-Risk Areas (white paper) -- GAO reported that significant attention was needed to improve the federal government's management of information technology (IT) acquisitions and operations and ensure the nation's cybersecurity. Regarding the management of IT, overall progress in addressing this area has remained unchanged. This paper details the work that needs to be done to meet GAO recommendations.
- Defense Acquisitions: DOD's Cybersecurity Maturity Model Certification Framework (white paper) -- The DOD has developed the Cybersecurity Maturity Model Certification (CMMC) framework. This DOD-driven initiative intends to provide a "unified cybersecurity standard" for defense acquisitions and aims to use and build on existing law and regulations.
Visit GovEvents for a complete listing of conferences, virtual events, and webinars. Browse GovWhitePapers for 1000+ white papers, case studies, and infographics that detail the latest acquisition and cybersecurity strategies and policies.
