As many of our readers are aware, President Joseph Biden issued an executive order on May 12 to improve the nation’s cybersecurity. While much of the executive order focuses on strengthening the federal government’s networks from cybersecurity threats, “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” The Biden-Harris administration hopes that the private sector will follow the federal government’s example. Among the improvements listed in the executive order are:
Enhancing Software Supply Chain Security
The executive order requires the federal government to issue guidance identifying practices that enhance the security of the software supply chain. The guidance must address secure software development environments, including the following actions:
- Using administratively separate build environments
- Auditing trust relationships (as further defined in the executive order)
- Establishing multifactor, risk-based authentication and conditional access across the enterprise
- Documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software
- Employing encryption for data
- Monitoring operations and alerts and responding to attempted and actual cyber incidents
The guidance must also address the creation and provision of artifacts demonstrating use of a secure development environment; the use of automated tools to maintain trusted source code supply chains and check for known and potential vulnerabilities; remediation of such vulnerabilities prior to product release; publication of a summary of such risks that were discovered and remediated; maintenance of accurate and up-to-date data, provenance of software code and components, and controls on internal and third-party software code or components; performance of audits of these controls regularly; provision to purchasers of a Software Bill of Materials (which is defined in the executive order) for each product (either directly or on a website); participation in a vulnerability disclosure program; attestation to secure software development practices; and attestation to the integrity and provenance of open source software used within any product.
Further, the executive order calls for the creation of pilot programs for consumer software labels addressing IoT (Internet of Things) cybersecurity criteria and secure software development practices. The criteria must reflect increasingly comprehensive levels of testing and assessment. The federal government should also consider ways to incentivize manufacturers and developers to participate in the programs.
Establishing a Cyber Safety Review Board
The executive order also calls for the creation of a Cyber Safety Review Board to review and assess significant cyber incidents (as defined under Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination) (PPD–41)). The board will be modeled on the National Transportation Safety Board, which is used to investigate transportation accidents. The board’s membership will consist of both federal officials and representatives from the private sector. The board’s purpose will be to analyze significant cyber incidents and provide recommendations for improving cybersecurity.