As I said yesterday, some EOs are a couple of paragraphs long. This one goes on for pages. Today’s post is going to cover the section of the EO that addresses supply chain risk. Supply chain risk, as we saw in both the SolarWinds and Microsoft Exchange attacks, is a huge problem. So what does the EO do?
- The Commerce Department, through NIST, has only 30 days to solicit input from government, academia and the public to identify existing or develop new standards, tools and practices for complying with other requirements in this EO.
- NIST must publish preliminary guidelines for complying with this EO within 180 days.
- Within 360 days NIST will publish guidelines for reviewing and updating the guidelines above.
- Within 90 days NIST must issue guidance identifying practices that enhance the security of the software supply chain. This must include standards, procedures or criteria described below.
- – Secure software development environments
- – Creating and delivering documentation proving the use of SSDL practices
- Within 60 days, Commerce and NTIA must publish minimum elements for an SBOM. NTIA has been working on this since 2018 and I have been involved in this effort. This is critical.
- Within 45 days NIST, consulting with the Secretary of Defense (SecDef), shall publish an official definition of what software is considered critical. Likely this includes anything that runs with more than normal user permissions. Then, within another 30 days, CISA will release a list of categories of software and software products that fit into that definition.
- Within 60 days, NIST and CISA will release guidance for required security measures for critical software.
- Within 30 days, OMB will take appropriate steps to make sure agencies comply with this guidance and specifically with respect to software that they obtain after this EO was issued.
- While agencies may ask for an extension in complying with a specific requirement, OMB will review those requests on a case by case basis.
- Within a year, OMB will provide recommended FAR language changes to the FAR Council.
- Within 60 days, NIST, consulting with NSA and SecDef shall publish software security testing guidelines.
- Within 270 days NIST must identify IoT cybersecurity criteria for a consumer (security) labelling program. This shall reflect increasingly comprehensive levels of security testing.
- Within 270 days NIST must identify security software development practices or criteria for a consumer software labeling program. The labeling shall reflect a baseline level of secure practices and if practicable, increasing levels of comprehensive testing and assessment.
Okay, I left a bunch of section 4 out for clarity. The highlighted items will affect consumers or are otherwise important. I am sure that some companies will try to sue the government. Congress may have to act. But even if these labels and standards are voluntary for now, some companies will think it is great marketing to push what they are doing and the other companies will be pressured to step up to the plate. If some companies lie about what they are doing, the FTC can come after them.
We are now about half way through the EO. As you can see, this has a lot more meat than most EOs. If you sell products (hardware or software) to the government, to other companies that sell to the government or to consumers, you need to be considering your plans now.