Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialThe US Cybersecurity and Infrastructure Security Agency (CISA) is making moves in 2023 to put all of its recent policy and guidance work around software supply chain security into action. Earlier this month, the agency announced a risk management office that is meant to help operationalize a lot of the new and upcoming guidance from CISA and other federal agencies on cyber supply chain risk management (C-SCRM).
The office will be led by Shon Lyublanovits, formerly of the General Services Administration (GSA). The original Federal News Network report of C-SCRM came by way of a recent event featuring Lyublanovits, who says the office is still in early stages but wants to get CISA to do more than "thinking broadly" on the problem by making meaningful roadmaps for action and implementing them.
Details are still forthcoming as to how the office will operate, but early indications are that the C-SCRM office will not only help federal agencies put policies into practice, but also lead the charge in information sharing, education, and outreach to wider security industry and developer communities. Lyublanovits said at the event:
We want to make sure that we’re collectively looking at all of this because, again, it isn’t a government problem. It isn’t (an) industry problem. It is a nation problem.
Will CISA's C-SCRM office and initiative move the needle on software supply chain security? Here's analysis of the news from experts in the field.
See Special Report: NIST CSF 2.0 and C-SCRM for Software Risk Management
The creation of the C-SCRM office and Lyublanovits' appointment turns a page on what was a busy 2022 in the issuance of new federal directives and guidelines with regard to software security and cyber supply chains.
Some of the highlights included the release of:
See our interactive report: A timeline of federal guidance on software supply chain security
Among these, the OMB memo is likely to have some of the most immediate impact on private sector practices around software security, as the attestation requirements are likely to have a ripple effect of transparency for any organizations that do business with the federal government.
Jeff Williams, co-founder and CTO of Contrast Security, said companies that already have a decent app sec program in place can quickly create these attestations about what they are already doing. But there are a lot of companies that don’t do much to ensure security, and they should get moving right away to get their house in order before the one year deadline.
Jeff WilliamsI think that the enforcement of these requirements is part of a broader trend towards security transparency for all software. I believe it is a fundamental human right that software users should know about the security of the software they trust with their finances, government, healthcare, social life, elections, and everything else that matters in their life.
For their part, the ESF guidelines had a hit-or-miss reaction from some industry players like Williams. He argued that the developers' guide was too sweeping while lacking the kind of resources that developers need to improve the state of the software security and the way they tap into the software supply chain.
Jeff WilliamsI don’t think the 'guide for developers' is helpful at all. It’s a kitchen sink of so-called best practices and requirements from a variety of sources and organizations. The doc is absolutely not for developers. They’re security activities and would require a massive rethink for developers to perform. You can’t just shove security activities on developers — that’s 'shitting left' vs. shifting left and it doesn’t work.
More crucially, even the actionable content in the ESF guides lacked any kind of meaningful teeth for enforcement, so many industry insiders say the recommendations have only a so-so chance of being fully embraced in the private sector, said Ray Steen, chief strategy officer for MainSpring, a consultancy that does business with numerous federal agencies.
Ray SteenAs of yet, ESF guidelines are just that: guidelines. The documents do not represent a change in regulation, and they carry no timeline for compliance. That being said, they could potentially influence ongoing cybersecurity initiatives such as OMB's zero-trust strategy which goes into effect by 2024. ESF guidance could be included in future iterations of CMMC or NIST 800-171 which would make it a pre-requisite for doing business with the federal government.
See our full coverage of the Enduring Security Framework
That gap between mandates and guidelines could potentially be where the C-SCRM office has the opportunity to spur movement in helping the private sector stakeholders move the needle on cyber supply chain risk.
Matt Rose, Field CISO for ReversingLabs, said he applauds CISA's creation of the C-SCRM organization "because clarity is a must when it comes to policies and standards for any technology initiative."
Matt RoseCurrently there are a ton of statements and standards associated with software supply chain risk being created without a common voice. It is up to the interpretation of the individual, or organization, to figure out what is a must-have, and what is a 'nice to have'. I see the C-SCRM, in a perfect world, as the one voice for all things associated with supply chain risk.
Abhay Bhargav, founder and CEO at AppSecEngineer, said that forming a new project management office can help solve key software supply chain security issues.
Abhay BhargavHaving a dedicated office to focus on this issue provides resources, focus, and meaningful detailing to improve the progress of software supply chain security. This increases awareness, provides guidance and best practices, and facilitates collaboration between government agencies, industry, and other stakeholders.
In particular, Bhargav believes that the office could do a lot to proactively educate the right stakeholders, especially in concert with detailed standards. He says the more specific that CISA and its new office can be with standards and implementation guidance, the better these efforts will serve government and private-sector stakeholder.
Guidance needs to have specificity with reference to the industry and sector as well, Bhargav said. "Supply-Chain security for healthcare and devices is a completely different animal that needs to be dealt with differently."
Abhay BhargavCreating high-level guidance never works. Specific is terrific.
Nathaniel Cole, CISO for TreviPay and an cybersecurity advice columnist for advisory firm Network Assured, said CISA's track record on taking action to engage with private sector interests shows that this new office could be a game-changer for cyber supply chain risk management.
By providing everything from security recommendations or configurations on new and emerging technologies to providing opens source intelligence on vulnerabilities, CISA has a track record of helping to secure private industry over the years. "We can expect they will know the steps to take in helping businesses tackle supply chain security," Cole says.
Nathaniel ColeBased on what CISA has provided over the years, we can expect a wealth of great tools and services coming from this new office in the years to come. These could drastically improve the intelligence and capabilities of organizations to better secure their software and manage supply chain risks.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial