OMB guidelines provide opportunity to standardize software nomenclature
Written by Dave Nyczepir
The Office of Management and Budget’s upcoming guidance on secure development practices offers a chance to make software BOM the standard for vendor self-attestation.
But security experts say standardizing SBOM, an inventory of software components at the bottom of the stack, requires practical timelines for vendors and a concrete process for using the information it contains across agencies.
Federal contractors struggling to comply with new technology regulations typically seek as much certainty as possible from government agencies to allow them to budget for the changes. The Biden administration’s cybersecurity EO in May last year was widely praised for introducing a standardized timeline to comply with the adoption of zero trust and other measures.
OMB obligatory that agencies comply with the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF) in March, as required by the Cybersecurity Executive Order issued in May 2021. Software vendors will eventually be required to prove compliance with the SSDF, and they’d prefer self-attestation over third-party verification – which derailed the Pentagon’s first attempt at Cybersecurity Maturity Model (CMMC) certification.
“I really hope they take the first route because we are giving enough momentum to the various parts of the executive order, behind this issue,” said Jim Richberg, Chief Information Security Officer (CISO) at Fortinet, at FedScoop. “If they decide we’re going to have to put this whole third-party appraiser regime in place, we’ve just launched that in a couple of years.”
Third-party assessments require infrastructure that will take time to set up, while vendors — especially those licensed by the Federal Risk and Authorization Management Program (FedRAMP) — are used to simply sharing their lifecycles of software development with agencies for consideration during purchases.
Standardizing a process for software vendors to provide agencies with chain-of-custody artifacts in digital form is more easily accomplished, costs less, and can be automated and made more auditable over time, Brown said. , CISO at SolarWinds.
The 2020 SolarWinds breach that compromised nine federal agencies, among other incidents, precipitated the creation of the SSDF and left the software company engaged with the SBOM to rebuild trust with customers. Parts of the nine agencies involved have never abandoned SolarWinds or started buying its software again in the past year and a half.
“We think we’re eroding that trust deficit,” said Chip Daniels, government affairs manager at SolarWinds. “But the only way we can continue to do that is to show how we’re complying with things like NIST standards and the spirit of the executive order.”
SBOMs present their own challenges. On the one hand, agencies currently do not have the staff to assess them; teams should be on their feet, Brown said.
OMB guidelines need to address this, as well as the process for cataloging information contained in SBOMs, for vendor self-attestation to work.
“A few things should be in place: how is this information provided? What information should be stored? What information should be dynamic or static? Are we considering one-time or continuous certification? Brown said.
The OMB declined to comment on whether it favors vendor self-attestation and how it might work, until its guidance is released.
Other experts like Sean Frazier, chief security officer at Okta, worry that while SBOMs “should be a priority,” frequent federal guidance is leading to “cyber fatigue.” Security fundamentals like multi-factor authentication — adoption of which remains at just 22% among Microsoft customers — encryption and patching should be the near-term priority for agencies and vendors, Frazier said.
“If we don’t fix this low fruit problem, whatever we do for the supply chain, they’re still attacking the credentials, so they’re going to keep hitting this all day and twice on Sunday. because it always works for them,” Frazier said. “We don’t really make it harder for attackers when they actually have to look at the supply chain and say, ‘I want to take advantage of this vulnerability and this vulnerability,’ because I can still walk through the front door with a violation identifier.”
Okta’s SBOM, which it calls its list of software and services (LSS), is a “longer-term project,” he added.
As a cloud service provider, Okta would prefer to address issues relating to its software development lifecycle through the FedRAMP process, which is happening now, Frazier said. The upcoming guidance in NIST Special Publication 800-53, Revision 5, includes a family of supply chain controls that the FedRAMP Project Management Office plans to adopt and assess its suppliers.
The CMMC is being revised because the initial process was “heavy” and “subjective”, Richberg said. A vendor’s third-party evaluator determined their score whether they passed or failed.
Richberg expects OMB to require vendors to prove compliance through artifacts demonstrating the functions specified in its guidelines, but will not be overly prescriptive, instead referring to the SSDF.
Once released, the guidelines will be put into contractual terms by the agencies, but the Cyber Executive Order wanted the SSDF to be implemented within a year. Depending on the OMB release date, some proof of concept may appear before the end of fiscal year 2022.
“I think aiming for the end of this fiscal year is frankly a bit ambitious with this that just came out now,” Richberg said.
-In this story-
Chip Daniels, Cybersecurity Executive Order, Cybersecurity Maturity Model Certification (CMMC), Department of Defense (DOD), Federal Risk and Authorization Management Program, FedRAMP, Fortinet, Jim Richberg, National Institute of Standards and Technology (NIST), Office of Management and Budget (OMB), Okta, Sean Frazier, Secure Software Development Framework (SSDF), Software Bill of Materials (SBOM), SolarWinds, Supply Chain, Tim Brown