The National Institute of Standards and Technology (NIST) in June will host a two-day virtual workshop to discuss its plans for raising the bar on the security of the software supply chain and gather feedback on how it should develop standards and guidelines called for by President Joe Biden to enhance software supply chain security for the federal government.
Section 4 of Biden’s new executive order for Improving the Nation’s Cybersecurity calls for the Department of Commerce, through NIST, to solicit input from all stakeholders, including the federal government, industry and academia, to identify existing standards or develop new standards and tools and then “issue guidance identifying practices that enhance the security of the software supply chain.”
Preliminary guidelines are due within 180 days of publication of the executive order and the final guidelines within 90 days of the initial guidance. The executive order (14028) was announced last week and published in the Federal Register on May 17.
NIST said on Monday that the forthcoming standards and guidelines will be used by federal agencies to govern their purchases of software.
In preparation for the workshop, NIST is inviting position papers from interested parties on standards and guidelines.
The White House released the executive order on May 12. The directive was prompted in part by the high-profile disclosure last December of a software supply chain hack committed by the Russian government against federal and private sector networks in the U.S. using a network management platform developed by Texas-based SolarWinds Inc. [SWI]. In that attack, Russian intelligence cyber operatives compromised the company’s software used to provide updates or patches to software products already deployed on customers’ networks.
A separate high-profile hack was disclosed in March related to a Microsoft [MSFT] email and calendar management platform.
Prior to the release of the executive order, a senior administration official told reporters on a background all that a “commonality among these incidents is poor software security, and the current market development of ‘build, sell, and maybe patch later’ means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure,” systems used in government and the private sector for critical infrastructure.
Section 4 of Biden’s directive also calls for NIST to work with other agencies to begin pilot programs based on existing consumer product labeling to inform the public on the security of “Internet of Things” devices and consumer software. NIST said the pilot labeling programs will be addressed in other forums.