Forthcoming Office of Management and Budget guidance on secure development practices offers a chance to make the software bill of materials the standard for vendor self-attestation.
But security experts say standardizing the SBOM, an inventory of software components down the stack, requires practical deadlines for vendors and a concrete process for using the information it contains at agencies.
Federal contractors working to comply with new technology regulations typically seek as much certainty as possible from government agencies to allow them to budget for changes. The Biden administration’s cybersecurity EO in May last year was widely praised for introducing a standardized timeline for complying with the adoption of zero trust and other measures.
OMB required that agencies comply with the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF) in March, as mandated by the Cybersecurity Executive Order issued in May 2021. Software vendors will eventually be expected to prove their compliance with the SSDF, and they’d prefer self-attestation rather than third-party verification — which derailed the Pentagon’s first attempt at Cybersecurity Maturity Model Certification (CMMC).
“I really hope they go the former route because we’re building enough momentum behind the different parts of the executive order, behind this issue,” Jim Richberg, chief information security officer (CISO) at Fortinet, told FedScoop. “If they decide we’re going to have to stand up this whole regime of third-party assessors, we’ve just kicked this can a couple of years down the road.”
Third-party evaluations necessitate infrastructure that will take time to establish, whereas vendors — particularly those that are Federal Risk and Authorization Management Program (FedRAMP) authorized — are used to simply sharing their software development life cycles with agencies for review during procurements.
Standardizing a process for software vendors to supply agencies with artifacts establishing chain of custody in a digital form is more easily achievable, costs less and can be automated and made more auditable over time, said Tim Brown, CISO at SolarWinds.
The SolarWinds breach in 2020 that compromised nine federal agencies, among other incidents, precipitated the SSDF’s creation and left the software company committed to the SBOM to reestablish trust with customers. Parts of all nine affected agencies either never abandoned SolarWinds or began buying its software again in the last year-and-a-half.
“We think we are eroding that trust deficit,” said Chip Daniels, head of government affairs at SolarWinds. “But the only way to continue to do that is to show how we’re complying with things like the NIST standards and the spirit of the executive order.”
SBOMs present their own challenges. For one, agencies don’t currently have the staff to evaluate them; teams would need to be stood up, Brown said.
OMB’s guidance needs to address that, as well as the process for cataloging the information SBOMs contain, for vendor self-attestation to work.
“A few things would need to be in place: How does that information get provided? What information needs to be stored? What information needs to be dynamic versus static? Are we looking at point-in-time or continual attestation?” Brown said.
Allowing a year for self-attestation would give vendors the time needed to put checks in place, develop standard templates with questions and answers, and pave the way for eventual validation, according to one security expert.
OMB declined to comment on whether it was favoring vendor self-attestation and how that might work, ahead of the release of its guidance.
Other experts like Sean Frazier, chief security officer at Okta, worry that while SBOMs “should be a priority,” frequent federal guidance is leading to “cyber fatigue.” Security fundamentals like multi-factor authentication — adoption of which remains at a mere 22% among Microsoft customers — encryption and patching should be the short-term focus of agencies and vendors, Frazier said.
“If we don’t solve that low-hanging fruit problem, whatever we do for supply chain, they’re still attacking credentials, so they’re going to keep hitting that all day long and twice on Sunday because it still works for them,” Frazier said. “We’re not actually making it harder for attackers where they actually have to look at the supply chain and go, ‘I want to take advantage of this vulnerability and that vulnerability,’ because I can still get through the front door with a credential breach.”
Okta’s SBOM, which it refers to as its list of software and services (LSS), is a “longer-term project,” he added.
As a cloud service provider, Okta would prefer to handle questions around its software development life cycle through the FedRAMP process, which is actually happening, Frazier said. Forthcoming NIST Special Publication 800-53 Revision 5 guidance includes a control family around supply chain that the FedRAMP Project Management Office plans to adopt and measure its vendors against.
CMMC is under revision because the original process was “cumbersome” and “subjective,” Richberg said. Who a vendor’s third-party assessor was determined their grade, whether they passed or failed.
Richberg expects OMB to require vendors to prove compliance through artifacts demonstrating specified functions in its guidance but that it won’t be overly prescriptive, instead referring back to the SSDF.
Upon release the guidance will be put into contractual terms by agencies, but the Cyber Executive Order wanted the SSDF implemented within a year. Depending on OMB’s release date, some proofs of concept may appear before the end of fiscal 2022.
“I think aiming for the end of this fiscal year is frankly a little ambitious with this just coming out now,” Richberg said.