The News: A top federal cybersecurity official recently indicated that the Office of Management and Budget is preparing new cybersecurity guidance for federal agencies to be released in the coming weeks. The forthcoming requirements seem likely to focus on software supply chain concerns. Read more from NextGov here.
Upcoming Federal Cybersecurity Guidance Likely to Address Software Supply Chain Concerns
Analyst Take: During a recent NextGov event, Steven Hernandez, a top federal cybersecurity official, revealed that a new mandate on software supply chain security is in the works at the Office of Management and Budget. The federal cybersecurity guidance will help agencies understand the provenance of any software that is used on government networks and hold vendors accountable for its security, Hernandez indicated. New guidelines are expected to be released within the next few weeks.
An executive order in May 2021 established the National Institute for Standards and Technology’s Secure Software Development Framework, which is likely to be strengthened and reinforced by the new federal cybersecurity policy guidelines. The framework aims to address software supply chain concerns by requiring key information from vendors, and upcoming guidance may include third-party verification of vendor information among other updates to existing federal cybersecurity practices.
Software Supply Chain Concerns in Federal Cybersecurity
In the wake of the 2020 SolarWinds hacking incident and recent attention to critical vulnerabilities in log4j, an open-source software library, federal cybersecurity concerns have driven an increase in new policies and requirements for agencies and their vendors. Cyber supply chain risk management is a key aspect of federal cybersecurity, and guidance has previously focused on ensuring the security of software through the supply chain by maintaining inventories of software programs and the provenance of the code contained within. This is known as the Software Bill of Materials (or SBoM), and future guidance is expected to require SBoM information from vendors in a machine-readable format to allow for streamlined responses to incidents or vulnerabilities.
Advancement in federal cybersecurity practices is always good news, as the ability for federal agencies to work quickly and securely is vital to national security. It’s safe to say that no one wants to see another SolarWinds incident or malicious data breach that compromises the functionality of our federal agencies or private firms. As technology advances, federal cybersecurity efforts must keep pace in identifying and eliminating vulnerabilities before they result in unforeseen consequences. I look forward to the release of the OMB’s new guidelines and will be following the story as it develops.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.
Other insights from Futurum Research:
Image Credit: NextGov
The original version of this article was first published on Futurum Research.
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”