As federal agencies face a rising number of cyber threats, government software suppliers are in for some substantial security checks.
Under the Biden Administration, the Office of Management and Budget now mandates that U.S. government agencies employ software services adhering to strict guidelines established by the National Institute of Standards and Technology (NIST). The new rules apply to IT, data networks, and other digital infrastructure provided by some of the biggest names in the business, such as Lockheed Martin and Dell, down to smaller startups in the tech space.
Companies that have built a business on providing software development and supply chain services to federal agencies will need to think smart and act fast to stay ahead of the curve. And for those assuming cloud-based platforms are exempt, U.S. authorities are keeping a thorough checklist in 2022. That includes “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software,” a recent OMB memo on the memorandum outlines.
Staying ahead of the curve when it comes to ever-evolving cyber threats means ‘shifting left’ on security and automating build and security validations that would historically be done manually. Shifting left with OEM-provided automation ensures repeatability at scalability, and makes real the cybersecurity paradigm where, ‘speed is the new security.’ One example of this unmatched speed of speed, delivered by VMware, empowered the Army Software Factory and Enterprise Cloud Management Agency to globally mitigate the dreaded Log4j vulnerability in under 24 hours, as they captured here.
The mandate is part of a larger executive order. Executive Order (EO) 14028 was issued by President Joe Biden last year to take larger and more visible steps with updating federal government cybersecurity and software supply chain protocols.
The new rules were largely prompted by the “SolarWinds hack,” a major cyberattack in 2020 that hit thousands of organizations around the world, including the U.S. federal government. The alleged “Russian state-sponsored” attackers reportedly exploited software from Microsoft and other software providers, as well a handful of key government agencies, leading to a string of data breaches.
Now, with a concrete framework for software developers and supply service providers in place, there are opportunities for our industry to create a more optimized marketplace. Companies that deliver software products that meet the latest standards will gain a competitive advantage in a relatively crowded sector.
Going forward, federal agencies will need to obtain documented self-verification from each vendor before utilizing any of its software services, the OMB memo notes. If a software provider is unable to provide such documentation, that provider must obtain authorization from a certified FedRAMP assessor, or another official platform granted agency approval.
Federal agencies that rely on third-party software services have been given the following guidance from the White House on the necessary steps they’ll need to take:
- Agencies are required to inventory all of their software services within 90 days
- Agency information heads must relay the new requirements to all of their vendors and secure verification letters in a centralized system within 120 days
- Agency CIOs are required to assess training needs and develop plans for software review and validation within 180 days
- Agencies will need to obtain verification letters for all “critical software” within 270 days
- Agencies will need to obtain verification letters for all software subject to the new requirements within 365 days
The OMB memo — which for now only applies to federal agencies and executive departments in the U.S. — could potentially have bigger implications for public and private sectors around the world given the size and scope of global software supply chains.
Taking the next steps
At VMware, one of the leading priorities is for us to continue ensuring secure cloud services to a global client base that can rely on our robust data integrity and privacy protection efforts, regardless of region.
This NIST assessment can help quickly assess your program’s core cybersecurity capabilities, strengths, and weaknesses. It will also generate a recommended action plan that can be immediately deployed to mitigate risk and improve performance.
Find out how to further implement a secure software supply chain with internal development practices in this whitepaper.