Biden order gives CISA software supply chain 'teeth'
The outgoing administration makes a Hail Mary attempt to salvage work it began in 2021 to require specific software supply chain security information from software suppliers.
A new cybersecurity executive order released by the Biden administration this week reinforces a previous order's requirements for software supply chain security and secure software development after three years of dithering in the industry.
In 2021, President Biden issued executive order 14028, calling for software suppliers to provide software bills of materials (SBOMs) -- machine-readable manifests of software components and dependencies -- to federal government agencies. The Cybersecurity and Infrastructure Security Agency (CISA) was tapped to create a process by which those suppliers could attest to the contents and security of their products.
CISA's initial draft of a self-attestation form for those suppliers included a specific SBOM requirement, but after a public comment period and conferences with industry leaders, the agency omitted the term in last year's final version. Instead, to the frustration of SBOM advocates, that form required software vendor executives to formally attest to their products' security in writing, without providing a machine-readable list of its specific ingredients.
"Despite the term SBOM being mentioned many times in the original executive order, both the White House and CISA failed to survive contact with trade associations and lobbyists who were against transparency," said Joshua Corman, co-author of The Rugged Manifesto in 2010 and a longtime advocate of SBOMs for software supply chain security in federal government as chair of one of CISA's SBOM working groups.
It's an open question whether the new cybersecurity executive order will survive the imminent transition to a new presidential administration, making the new order a last-ditch effort to preserve the original intention of executive order 14028, Corman said.
"This is their saving throw, to use a Dungeons & Dragons term -- if you get a critical hit from the dragon, you can still roll a D20 [dice] to survive," he said. "This is their chance to roll a saving throw and do what we needed at the time we first said we needed it."
Attestation once more, with gusto
For most of the past three years, working group and conference discussions led by CISA with industry reps have been mired in debate. Concerns about the feasibility of providing SBOMs have included fears about the disclosure of sensitive data to attackers and competitors as well as confusion about multiple proposed industry standards for SBOM ingestion and exchange. There has also been a softening of demand for SBOMs from enterprise IT buyers during the same period.
Now, the new cybersecurity executive order restates the requirement for specific data to be delivered by federal suppliers -- though it also does not mention SBOMs specifically. Within 30 days, according to the new executive order, the Director of CISA must "recommend … contract language requiring software providers to submit … through CISA's Repository for Software Attestations and Artifacts:
machine-readable secure software development attestations;
high-level artifacts to validate those attestations; and
a list of the providers' Federal Civilian Executive Branch (FCEB) agency software customers."
Directing the procurement office to require these things, and directing the Attorney General to follow up on lies around these things [puts] actual teeth behind those early efforts.
Brian FoxCo-founder and CTO, Sonatype
Within 120 days, multiple federal agencies must amend the Federal Acquisition Regulation to include the new language, the order states. Furthermore, the order calls for updates to the NIST Secure Software Development Framework, and for CISA's self-attestation process to encompass its requirements as well, including attestations that suppliers have followed patching and secure software development best practices.
Finally, "The National Cyber Director is encouraged to refer attestations that fail validation to the Attorney General for action as appropriate," according to the new executive order.
"Directing the procurement office to require these things, and directing the Attorney General to follow up on lies around these things [puts] actual teeth behind those early efforts," said Brian Fox, co-founder and CTO of software supply chain security management company Sonatype and a governing board member at the Open Source Security Foundation (OpenSSF).
A matter of interpretation
However, there's room for the new order to be watered down as well, depending on how suppliers and federal officials interpret the phrase "high-level artifacts to validate attestations," according to software supply chain security experts.
"My hope and desire is that the most [readily] available machine-generated, and therefore machine-readable, 'high-level artifact' could be an SBOM," Corman said. "[But] if those opponents to transparency both inside and outside of the government are still seeking to delay, degrade [and] diffuse [the regulation], this high-level artifact could be just a machine-ingestible version of the same attestation form."
Other cybersecurity experts said they were more optimistic that the new order will not just result in more SBOMs being furnished but will lead to more specific actionable data requirements about secure software delivery overall.
President Joe Biden's new executive order expands federal software supply chain security requirements.
"These compliance artifacts could be in-toto attestations, or documents in the open security control assessment language as ways of representing the development process [and] the delivery and provenance of the software," said Chris Hughes, chief security adviser at software supply chain security company Endor Labs and CEO at Acquia, a cloud and cybersecurity digital services firm. "[Agencies] want to know the software is secure, but also … the entire supply chain pathway that the software takes before it reaches them."
Though it remains to be seen what results the order gets under the next administration, there's plenty of room for it to go further, said Dan Lorenc, co-founder and CEO of software supply chain security vendor Chainguard, a member of the OpenSSF Technical Advisory Committee and the creator of the Sigstore open source software attestation project.
"CISA's self-attestation programs may finally get some teeth, [but] I'd like to see even more from CISA's self-attestation programs to avoid the risk of them becoming mere rubber stamps with little to no enforceability," Lorenc said. "There's potential for improvement here, especially if the programs evolve to incorporate more specific, actionable controls akin to FedRAMP."
Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
