The U.S. Government’s Battle Plan to Fortify Supply Chains
A flurry of guidance from the federal government has galvanized the attention of agencies and organizations. Here’s what security executives need to know.
Toyota Motors supplier Kojima Industries faced a reported cyberattack in February that forced the suspension of 28 Toyota production lines across 14 plants, severely interrupting the supply chain. Four months later, in yet another supply chain disruption, Japanese automotive hose maker Nichirin reported that a U.S. subsidiary had fallen victim to a ransomware attack, forcing the manufacturer to take its network offline and limit the number of specialized components it produced.
Supply chain attacks like these are on the rise, research shows—and the U.S. government is taking notice.
In May, the National Institute of Standards and Technology (NIST) released a 326-page framework on securing supply chains against cyberattacks, while the Cyber Safety Review Board (CSRB) issued a report in July with cybersecurity recommendations based on a review of the Log4j vulnerability. Most recently, the Office of Management and Budget (OMB) published guidance to ensure that federal agencies use software that has been built following common cybersecurity practices. And in a related move, the SEC has proposed that top executives at public companies, and their boards, would have to quickly disclose cybersecurity incidents and bolster their organizations’ oversight for security.
Austin calling: Last chance to register for Tanium Converge 2022, November 14 – 17, 2022.
The recent avalanche of government recommendations is noteworthy, says Kate Ledesma, senior director for partnerships and government affairs at cybersecurity ratings company SecurityScorecard. The guidance comes on the heels of a number of significant cybersecurity incidents over the past few years—including the Log4j and SolarWinds hacks. These events have galvanized executive- and board-level attention about the importance of secure software development and other digital security practices, she says.
The products that are used by the government will have this baseline of security built in, which helps everybody who is buying, even outside the government.
“Now the government is saying that in order to do business with us, we want to see these things from you, which is really moving the entire industry forward,” Ledesma says. “The products that are used by the government will have this baseline of security built in, which helps everybody who is buying, even outside the government. They’re signaling that everyone in the ecosystem—not just the public sector—is watching and dealing with these issues, and they’re moving the needle on security for everyone.”
Ledesma shared four takeaways from the recent government guidance, as well as her own expert advice about how organizations can adapt.
1. Software functionality is out, and software security is in
Over the past few years, more organizations are experiencing a shift from prioritizing software functionality to prioritizing software security, Ledesma says. In a press release from the White House about the new security guidance from OMB, Chris DeRusha, federal CISO and deputy national cyber director, underscored this priority: “Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” he wrote. “With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”
Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised.
Ledesma says that software developers should implement practices consistent with the NIST software security development framework. The framework stresses a whole-organization approach, she adds, in which secure software development is no longer the sole responsibility of developers. “Everyone—the vendors, users, and buyers—needs to work together to have the tools and frameworks to deal with this,” she says.
2. Documentation and consistency are critical
Organizations must prioritize documenting and demonstrating consistency in secure software development, Ledesma says. The White House, for example, recently tasked CISA and OMB to create a common form that software vendors must use to ensure the technology they are selling to the government meets NIST security guidelines.
[Read also: We hear a lot about supply chain issues these days, but your software supply chain needs special protection—here’s how to defend it]
Ledesma says this move comes as part of an effort to streamline how users and government agencies describe their security. “Organization A and organization B might say things two different ways, but are they the same thing?” she says. “Are their practices as secure as each other’s? This self-attestation is really going to help users—and especially agencies—compare apples to apples.”
3. Automation is the future
The NIST framework calls for automation to reduce human effort, improve accuracy, and streamline repeatable processes. This includes tasks such as workflow tracking, signing capabilities to produce immutable record logs, continuous monitoring of tools, and logging of tool-related operational and security issues. Ledesma says that automation is the only option for organizations to operate at the scale and speed required today.
Simply operational isn’t good enough anymore—tools must be both operational and secure.
“It’s about giving both vendors and software purchasers the tools to make risk assessments and validate whether software products are secure,” she says. “Simply operational isn’t good enough anymore—tools must be both operational and secure.”
4. A risk-based security approach must focus on outcomes
The NIST framework is focused on outcomes but isn’t prescriptive about how to achieve them. It also encourages organizations to adopt a risk-based approach and customize their strategy as appropriate. Ledesma says that while the concept of outcome-based practices isn’t new, it’s certainly not easy: “The NIST framework helps provide all organizations in the ecosystem a shared starting point and helps us all to be speaking the same language.”
[Read also: This supply-chain guidance isn’t the only way the feds are getting tough(er) on cybersecurity—here’s how boards are prepping for increased federal oversight]
The value organizations derive from the government guidance will depend on the maturity of their security practices, Ledesma adds. Less-sophisticated organizations might start by creating a foundational framework for processes and procedures, while more advanced organizations can progress through the framework to refine and develop their processes and procedures even further.
“The NIST framework is really about one thing: security,” she says. “And it’s about an ecosystem of security because, as we know, one organization’s security practices affect their partner, vendor, and customer security, since they connect. The government’s guidance raises the bar for everybody.”