This executive order is a big one – and very aggressive. Here is part 3 of what is in it. I am going to keep doing this until I get all the way through this almost 40 page document.
In part 2, I provided the abridged version of section 4 of the EO. This is the full version.
If you develop software, this is going to be your best practices guide. Correction, this is going to be your minimal acceptable practices guide.
YOU SHOULD ASSUME LARGE COMMERCIAL BUSINESS CUSTOMERS WILL BE ASKING YOU ABOUT YOUR COMPLIANCE WITH PART, WITHOUT REGARD TO WHETHER YOU SELL TO THE GOVERNMENT. THIS IS YOUR NEW REQUIREMENTS SPECIFICATION. FOR MANY OF THEM, NON-COMPLIANCE WILL MEAN DISQUALIFICATION FROM CONSIDERATION AS A VENDOR.
Sec. 4. Enhancing Software Supply Chain Security.
Supply chain is, of course, what was at the root of the SolarWinds attack and the Exchange server attack, so doing something to shore that up only makes sense.
- Within 30 days, NIST will solicit input from government, industry and academia to identify existing or develop new standards, tools and best practices for improving supply chain security.
- Within 6 months NIST must publish guidelines to enhance software supply chain security based on the conversations above.
- Within a year NIST must publish additional guidelines, including rules for updating what has already been released.
- Within 3 months of releasing the preliminary guidelines, NIST must issue guidance including standards and procedures for: secure software development processes, generating and producing documents to provide that they are following such practices, using automated tools to maintain trusted code, producing reports on the results of using such tools and making a summary available publicly, maintaining and providing a Software Bill of Materials (SBoM), running a vulnerability disclosure program, attesting to all of these practices and attesting to the extent possible, to the integrity and provenance of any open source software used. THIS ITEM WILL BE A HUGE CHALLENGE FOR MOST ORGANIZATIONS.
- Within 60 days NTIA will publish a minimum standard for what needs to be in an SBoM.
- Within 45 days NIST and the NSA will define what is covered by critical software. That software is what this EO applies to.
- Within 30 days of the above, CISA will identify a list of categories of software and products that meet the definition of critical software.
- Within 60 days of the EO NIST will publish guidance for security measures for critical software. Note that the timeline of these last 3 items is very tight. Then OMB has 30 days to make sure that agencies are following this guidance. This includes making sure that new software acquisitions follow these rules. Agencies can request an extension which will be reviewed on a case by case basis. Waivers will also be possible, but only for a limited time period and only in exceptional cases.
- Within a year DHS, the AG, OMB and the OEG will recommend FAR changes to the FAR council. The FAR council will then review and amend the FARs.
- Once the FARs are updated, agencies must REMOVE software that does not meet the new FAR requirements from and IDIQ contracts, FWACs, BPAs and multiple award contracts – basically all of the large purchasing vehicles that the government uses.
- OMB will require agencies using legacy software acquired before EO to either comply with the new requirements or get either an extension or a waiver.
- Within 60 days NIST and the NSA will release software testing guidelines.
- NIST will create a pilot program for labelling consumer IoT products for security capabilities. They will do this in a way that “incentivizes” manufacturers to participate.
- Within 9 months the FTC will see if they can force participation in an IoT security labelling program via any existing laws (such as section 5 of the FTC act).
- Within 9 months NIST and the FTC will identify secure software development practices to be part of the consumer IoT security labelling program above.
- Within a year NIST will review these labelling programs for effectiveness and determine what improvements need to be made.
- And, finally for this section, after a year, the Secretary of Commerce shall report to the President on what progress has been made regarding the requirements of this section.