A definitive guide: Federal software supply chain security initiatives

Software supply chain security is now top-of-mind for software producers and enterprise consumers alike, given the dramatic increase in threats — and the steady growth in software supply chain attacks. But the private sector isn’t alone in taking notice of the epidemic.

The U.S. federal government has turned its attention to software supply chain security in recent years, and more recently it has stepped up its guidance with more comprehensive initiatives such as Secure by Design and specific guidance on tooling with the Enduring Security Framework's call for comprehensive binary analysis and reproducible builds.

What started with the White House’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) has grown into a comprehensive trove of compliance and guidance initiatives that has shaped the federal government’s policies on software supply chain security. Three years after EO 14028’s initial release, these efforts have begun to take effect, forcing software producers — particularly those that do business with the federal government — to take notice.

However, it's not just software organizations working with the government that need to get up to speed on guidance. Analyst firm Gartner notes in its “Mitigate Enterprise Software Supply Chain Security Risks” report that open-source communities and enterprises alike should increase their scrutiny of supply chain risks and take action to prioritize software supply chain security protections.

Here are 2023’s major federal initiatives for improving software supply chain security, including a breakout of guidelines versus mandates. Combined with our definitive timeline for software supply chain security guidance, teams can better assess what changes they need to make with their software security approaches in 2024.

Definitive timeline: Federal guidance on software supply chain securitySpecial Report: The State of Software Supply Chain Security (SSCS) 2024Download Report: State of SSCS

National Cybersecurity Strategy

March 2023 | Guidance

The National Cybersecurity Strategy (PDF) outlines the federal government’s continued efforts to improve the nation’s cybersecurity. The strategy comprises five pillars that address the federal government’s goals and is framed by two fundamental shifts: rebalancing the responsibility to defend cyberspace, and realigning incentives in favor of long-term investments.

Secure by Design

April 2023 | Guidance

Secure by Design, released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) along with 17 other U.S. and international partners, is an initiative that aims to rebalance the burdens caused by cybersecurity risk from the end user to technology manufacturers and providers. The initiative asks software producers to take ownership at the executive level to ensure that their products are intentionally made with security in mind and that security is also enabled after the product is manufactured and released. One key aim of Secure by Design is to shift liability from the consumers of software to the producers.

Cybersecurity Information Sheet on Defending CI/CD Environments

June 2023 | Guidance

The Cybersecurity Information Sheet (CSI) on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments (PDF), released by CISA and the National Security Agency, outlines recommendations and best practices for improving defenses in the software development, security, and operations (DevSecOps) process. It explains how to properly integrate security into CI/CD environments to ensure that security is not an afterthought for software products being developed. It also outlines what steps software publishers should take to continue actively hardening their software’s defenses post-build.

SEC Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

July 2023 | Mandate

The SEC released a set of rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” Since August 2023, SEC registrants have had to disclose material cybersecurity incidents and annually disclose “basic material information” about the company’s cybersecurity risk management, strategy, and governance practices. Information that needs to be disclosed could include updates on the state of software supply chain security at an organization or details regarding a software supply chain attack that a company has suffered from.

Cybersecurity in Medical Devices

September 2023 | Mandate

The FDA released “Cybersecurity in Medical Devices: Quality System Consideration and Content of Premarket Submissions” as a reference document for device manufacturers that must now report on their medical devices’ cybersecurity, in accordance with part (f) of Sec. 524B in H.R.2617, which includes the use of software bills of materials (SBOMs). In addition to providing an SBOM that includes the medical device’s use of commercial, open-source and off-the-shelf software components, manufacturers will also need to disclose how they deal with cybersecurity vulnerability management.

Software Identification Ecosystem Option Analysis

October 2023 | Guidance

CISA put forward new guidelines for a “Software Identification Ecosystem,” with the goal of it being both a precise and generic resource that supports software “grouping.” A successful software identifier scheme should also include properties such as software names and versions that are used in both SBOM creation and vulnerability management — two important use cases.

Recommended Practices for SBOM Consumption

November 2023 | Guidance

As part of its second phase of the “Securing the Software Supply Chain” guide, the Enduring Security Framework Software Supply Chain Working Panel (ESF) released “Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption” (PDF). The document serves as an SBOM-specific follow-up to the first three parts of the “Securing the Software Supply Chain” guide, which are aimed at software developers, suppliers, and customers. All of these stakeholders should use the guidance as a basis for describing, assessing, and measuring security practices relative to the software lifecycle, as well as the acquisition, deployment, and operational phases of the software supply chain, respective to their unique responsibilities.

Looking ahead

In 2024 and beyond, the federal government has indicated, it will continue to shape cybersecurity policy, including software supply chain security, in several ways.

The CISA Strategic Plan for 2024-2026, released in August 2023, outlines the government’s efforts regarding active threats, future threats and improving the security of the software ecosystem.

Among other things, CISA said that it aims to:

• Increase the number of technology providers that have published detailed threat models that document both areas in need of increased security and potential threats/adversaries
• Increase the number of technology providers that have implemented the NIST Secure Software Development Framework (SSDF) and the various security controls it entails
• Increase the number of software producers that publish secure-by-design road maps for their product that lay out changes the producer is making to their software development processes, the measurement of software defect rates, as well as goals for improvement such as the transition to memory-safe programming languages
• Increase the number of technology providers that regularly publish security-relevant statistics such as multifactor authentication (MFA) adoption, use of unsafe legacy protocols, and the prevalence of customers using unsupported product versions

These efforts aim to increase engagement by software producers are sure to be accompanied by additional guidelines and mandates from federal agencies or regulatory bodies.

Focus on AI

CISA has also indicated that it will focus on security risks related to the adoption of artificial intelligence (AI) in the coming years, with initiatives designed to help organizations safely use AI to advance cybersecurity while also protecting them from AI-driven threats, or efforts by adversaries to manipulate or abuse AI systems. As with secure software development, CISA’s work to secure AI will build on NIST’s AI Risk Management Framework.