Charles Lyons-Burt
The supply chains for software, hardware and firmware are complex, and securing the cybersecurity supply chain is a multi-pronged effort. The federal government’s recent initiatives have agencies looking beyond their networks to the practices of their vendors. For industry, this means a host of new requirements.
Alex Whitworth, an executive focused on cybersecurity solutions at Carahsoft, recently sat down with ExecutiveBiz to discuss how efforts like software bills of materials and the Department of Defense’s Cybersecurity Maturity Model Certification framework are changing how public sector agencies and technology providers work together to raise security standards.
ExecutiveBiz: What are the most pressing cybersecurity supply chain concerns facing government agencies today?
Alex Whitworth: Cybersecurity supply chain risk is a major focus, and the government is taking several approaches to ensure nothing is overlooked. For example, a lot of attention has been focused on software supply chain security and ensuring agencies understand what is in the software they’re procuring. Software supply chain security was a prominent feature of Executive Order 14028, and since then, the National Institute of Standards and Technology released a secure software development framework, the Office of Management and Budget has released mandates on software security and the Cybersecurity and Infrastructure Security Agency released the self-attestation form focused on software supply chain risk.
The government is pushing industry to focus on developing secure code and maintaining a baseline level of security built into its software development process. Today the government asks for self-attestation forms from every software producer stating they have developed their software in accordance with the controls and processes of NIST’s secure software development framework.
But software is just one element of the cybersecurity supply chain. The Defense Department is still working toward implementing the Cybersecurity Maturity Model Certification program, which will significantly impact the defense industrial base’s cyber posture.
We’re also examining hardware supply chains, but firmware has long been omitted from security frameworks. Plenty of agencies are working to understand the vulnerabilities that are inherent in firmware built into all types of equipment, like laptops, servers, switches, routers, weapon systems and industrial control systems. All of this also comes at a time when geopolitical conflicts in Europe and Asia are putting new pressure on understanding our supply chains.
EBiz: What recent developments have you seen in the U.S. government’s approach to software bills of materials?
Whitworth: There’s been a lot of effort on that. The Army just recently released a mandate requiring software bills of materials, or SBOMs, from their software providers. SBOMs go a step further than a self-attestation form in that they are the actual ingredients list of a software system. Having an organization the size of the Army start to require this really draws a line in the sand. It sends a message to industry that government as a whole is taking this seriously. And it may have some trickle-down effect for smaller agencies, making it easier for them to request similar forms of documentation or evidence.
The Army isn’t the only one. Agencies across the federal government now are requiring self-attestation forms ahead of software procurements. The General Services Administration has come out and required self-attestation forms from anybody selling software to GSA. The Food and Drug Administration has been a leader in this space, requiring software bills of materials from all medical device manufacturers as part of their review process.
EBiz: What is Carahsoft doing to help vendors prepare for these different supply chain requirements?
Whitworth: Everybody can agree that more security is good from a national security perspective, and having some baselines is important. On the CMMC side, Carahsoft focuses on helping defense industrial base companies raise their cyber maturity by working with great companies that help address every CMMC capability domain. We’re providing educational materials and access to resources within our company that can help identify the right mix of tools and service providers to help government remediate gaps and reach a compliant state.
Regarding software bill of materials initiatives, it’s very similar to CMMC. We’ve embraced it from the beginning, providing resources for our vendor and partner community to understand the mandates and policies. We help them find service providers and tools that can evaluate their current status against the requirements, remediate vulnerabilities, and deliver a software bill of materials they feel comfortable and confident about providing to the government. Ultimately, we aim to get them to a state where they can sign the self-attestation and deliver it.
Like any other new requirement, there are early adopters and those that take a wait-and-see approach, holding off until they understand the penalties for non-compliance. Our focus is on providing education and resources to help our vendors reach a compliant state. We can’t force them to move, but we’re certainly advocating for it at every opportunity.
EBiz: How can agencies better assess and manage both adversarial and non-adversarial threats in their cyber supply chains?
The visibility the government will start to achieve through these software supply chain security requirements will allow them to spot malicious code quickly. This will help with non-adversarial events, too — things like broken code or an outage. Agencies will be able to identify and remediate issues, and if needed, isolate those affected systems and focus on getting them back online. It’s a happy outcome.
A lot of focus in the past has been on the network that organizations control. They’ve focused on implementing zero trust based on vulnerability scanning, endpoint detection and response and identity security — all key pillars of a good cyber posture. But over the last three years, there’s been momentum to include the cybersecurity supply chain in that conversation. Embracing OMB mandates and other requirements will help agencies feel confident that the business application software or cybersecurity software protecting those business applications meets a minimum level of security. Holding organizations to these standards will enhance agencies’ cyber posture over time.
For more information about CMMC Compliant Products and Services offered by Carahsoft, please visit: carahsoft.com/cmmc
