The White House has shared a memo requiring agencies to comply with guidance from the Office of Management and Budget (OMB) to improve the security and integrity of the software supply chain.
The new guidance will require agencies to follow secure development practices from the National Institute of Standards and Technology (NIST), a physical sciences laboratory and non-regulatory agency of the US Department of Commerce.
The memo, signed by OMB Director Shalanda Young, is headlined ‘Enhancing the Security of the Software Supply Chain through Secure Software Development Practices’.
In it Young says: “The Federal Government relies on information and communications technology products and services to carry out critical functions.
Global supply chains facing 'relentless criminal threat'
“The global supply chain for these technologies faces relentless threats from nation state and criminal actors seeking to steal sensitive information and intellectual property, compromise the integrity of government systems, and conduct other acts that impact the government’s ability to safely and reliably provide services to the public.”
The executive order (EO) that the DoJ is urging compliance with focuses on the security and integrity of the software supply chain, and emphasises the importance of secure software development environments.
In the memo, Young goes on to say: “Ensuring software integrity is key to protecting Federal systems from threats and vulnerabilities and reducing overall risk from cyber-attacks.
“The NIST guidance provides recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development.
“Federal agencies must only use software provided by software producers who can attest to complying with the government-specified secure software development practices, as described in the NIST Guidance.”
Supply chain & cybersecurity sectors welcome memo
In supply chain and cybersecurity there has been a generally positive reaction to the memo.
Sam Curry, Chief Security Officer with Cybereason, posted: “Yesterday’s Office of Management and Budget memo is an indication that the government is taking supply chain risk seriously and beginning to tackle this enormous problem.
“What matters now is how we build on this. There is no one requirement or one thing that will make it all alright. Security is about building on what is laid down and about the rate of improvement. This says that the government is in the game, and it’s time to get the innovation started.”
The new guidance will require agencies to follow secure development practices from the National Institute of Standards and Technology. According to RKVST, a leading provider of supply chain integrity, transparency and trust, it’s a step in the right direction to distributing secure supply chain information.
According to RKVST, a leading provider of supply chain integrity, transparency and trust, it’s a step in the right direction to distributing secure supply chain information.
Jon Geater, Chief Product and Technology Officer at RKVST said: “"We applaud the White House for its commitment to a modern strategy for cybersecurity in the US.
“The memo sets out guidance and timelines for government agencies to comply with the EO and underscores the importance of tools that securely distribute software supply chain information among all relevant stakeholders and attest to the provenance and integrity of software in critical use cases.”