|

A timeline of federal guidance on software supply chain security

Over the past two years, the U.S. federal government has been busy crafting policy around software security, which includes mandates for government vendors. This timeline lists the major ones your team should pay attention to.

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Cyber Content Creator at ReversingLabs. Read More...

Timeline of Federal Guidance

With major software supply chain attacks such as SolarWinds and the discovery of critical vulnerabilities like Log4j, the world has started to care a great deal about the security of software. These incidents, along with a string of others that span the past few decades, demonstrate that the problem of software supply chain attacks will not be going away anytime soon.

In fact, the problem has only gotten worse in the past two years. Specifically, software supply chain attacks via open-source repositories have taken a big hit, with attacks on npm and PyPI, two popular repositories, skyrocketing by 289% in the past four years.

Even more concerning, it has become clear that a significant number of organizations that produce software are not taking enough steps to secure the applications they are creating. According to a ReversingLabs commissioned survey on secure software practices, only 51% of software practitioners reported that their companies can protect their software from third-party risk when using open source, commercial solutions, and partner software. This signifies that there is a great deal of growth needed in the software industry when it comes to securing software.

Thanks to SolarWinds, Log4j, and other concerning software security incidents, the U.S. federal government has begun to take initiative over the past year and a half to address the growing problem of software supply chain attacks. This became official with the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity, which was followed by several other policy items and mandates that are expected to change the future of the software industry.

[ Special Report: The State of Software Supply Chain Security 2022-23 ]

Here's a timeline of the major documents, policy initiatives, and mandates that software organizations will want to take note of — whether they are selling their software products to the federal government, or not.

 

5/12/2021

The Biden Administration releases an Executive Order (EO) on Improving the Nation’s Cybersecurity (14028). The Order aims to better several areas of cybersecurity, including software supply chain security. Read more

7/12/2021

Following EO 14028, according to Section 4 f, the Secretary of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), releases a document that lists the minimum elements required for a software bill of materials (SBOM). Read more

9/27/2021

The NTIA introduces the Vulnerability Exploitability eXchange, which was created to “fill a particular need regarding use of software bills of materials (SBOMs),” in response to EO 14028. Read more

11/08/2021

Following EO 14028, according to Section 4 c, the National Institute for Standards and Technology (NIST) will release preliminary guidelines, based on consultations and existing documents, for enhancing software supply chain security.

2/03/2022

Following EO 14028, NIST releases the first version of the Secure Software Development Framework (SSDF) to the public. Read more

2/04/2022

Following EO 14028, according to Section 4 u, the Secretary of Commerce and NIST, in coordination with the Federal Trade Commission (FTC) and invited representatives from other agencies, are to identify secure software development practices or criteria for a consumer software labeling program. Read more

9/02/2022

The federal government’s Enduring Security Framework (ESF) working panel releases the “Securing the Software Supply Chain” report, meant to be a practical guide for developers. Read more

9/14/2022

Following EO 14028, the OMB issues a memorandum (M-22-18) that mandates all federal agencies to attain attestation of software security from any software company doing business with the federal government, as described in NIST’s SSDF guidance. Software developed and software modified by major version changes after this memorandum will need to follow these requirements. These requirements are not applicable to agency-developed software. Read more

9/21/2022

U.S. Senators Peter and Portman introduce Bill S. 4913 to the U.S. Senate, which aims to establish the duties of the Director of CISA in relation to open source software security. Read more

10/31/2022

The federal government’s ESF working panel releases the second series of the “Securing the Software Supply Chain” report, meant to be a practical guide for suppliers. Read more

12/20/2022

As required by M-22-18, according to Section 3 a, by this date, agencies will take inventory of all software subject to the requirements of M-22-18. A separate inventory will be created for “critical software.” 

01/19/2023

As required by M-22-18, according to Section 3 a, by this date, agencies will develop a consistent process to communicate relevant requirements in this memorandum to software vendors, and ensure attestation letters not posted publicly by software providers are collected in one central agency system. 

6/18/2023

As required by M-22-18, according to Section 3 a, by this date, agencies will collect attestation letters not posted publicly by software providers for “critical software.” 

9/21/2023

As required by M-22-18, according to Section 3 a, by this date, agencies will collect attestation letters not posted publicly by software providers for all software.