Companies can’t fully adhere to the federal framework for secure software development until government begins making procurement decisions based on the guidance, according to industry experts.
The Secure Software Development Framework (SSDF) is a conceptual document that wants software developers and providers to prove they’re in compliance using artifacts, but which threat models, log entries, source code files and vulnerability scan reports agencies require isn’t being universally stated in contracts.
While the National Institute of Standards and Technology recommended organizations “produce well-secured software with minimal security vulnerabilities” in the SSDF, that’s actually an outcome of government and industry working together to determine what’s contractually feasible.
“I don’t think it’s at the point where I, if I were still in government, would want to go write contract requirements feeling that I had enough specificity in what was there in the software framework,” Jim Richberg, field chief information security officer for public sector at Fortinet, told FedScoop.
That’s not to say industry dislikes the SSDF, rather recognizes the Office of Management and Budget‘s recent mandate agencies comply with the guidance will help CISOs and chief information officers secure their IT infrastructure and ensure its as free of vulnerabilities as possible.
But clarifying the framework will take a lot of work, especially from government, and require a flexible timeline.
“I would say that there will be a deadline, and it will have to be a soft deadline,” said Bob Stevens, area vice president of public sector at GitLab. “We’re talking about the potential change of a lot of infrastructure and a lot of transitioning for government agencies.”
The Cybersecurity Executive Order that directed NIST to develop the SSDF had three dozen action items across three competing priorities for agencies: implementing zero-trust security architectures, accelerating cloud migration and securing the software supply chain. While all three reinforce each other in some ways, Congress needs to appropriate additional money for the latter, Richberg said.
Much of the software agencies buy that industry produces is enterprise software, meaning it’s not written solely in house but with other organizations. Determining contract requirements that also reach those third-party developers and suppliers will take time.
“I’d be hard-pressed to say it’s going to happen in 18 months,” Richberg said.