As part of the Executive Order on Improving the Nation’s Cybersecurity (EO 14028), NIST is required to do several things. among those are guides and standards for improving supply chain security and they have already released a number of draft documents related to their tasks.
IF you sell to the executive branch, these will become mandatory. In some cases they can bypass the FAR process, although there will be some FARs created, and just implement the EO as directives to the branch agencies to do this or do that.
The first thing that they did is create a definition of what is critical software. You can see this document here. It provides both specific criteria for attributes of software that meet their definition and then it provides a list of software types (like, for example, endpoint security tools) that meet these definitions.
Earlier this month, NIST released preliminary guidelines for enhancing software supply chain security. This document, called NIST Special Publication 800-161 Rev 1 was released in draft form for comment. A light weight bedtime read of over 300 pages, it is open for comments until December 3rd. It provides a very rich cybersecurity supply chain risk management (C-SCRM) process and it will only get better with comments.
After releasing this, NIST held a workshop to go over the guidance, which is due to be finalized by February 6, 2022.
NIST has also created a new document titled Secure Software Development Framework Version 1.1, also known as NIST Special Publication 88-218, which is available here. Unlike SP 800-161, this one is only 31 pages.
Perhaps I don’t understand all of this, but here is my take.
IF you develop software you want it to be secure.
IF you sell software to the government, you will be required to follow this NIST process.
If you don’t sell to the government, but your customers sell to the government, you may be required to follow this process anyway.
So, you basically have three choices
- Do nothing and see what happens
- Create your own secure software development framework
- Leverage all the work that NIST has already done and will continue to do, follow their guidance, and improve your software’s security.
Which one do you think is the best strategy?
I thought so.