Cybeats Technologies Inc. is pleased to comment on the memorandum (M-22-18) issued by the White House’s Office of Management and Budget on September 14, 2022 under President Biden’s May 2021 Cybersecurity Executive Order.
The memorandum, intended for the heads of executive departments and agencies, focuses on enhancing the security of the software supply chain through secure software development practices.
The memo requires all federal agencies to complete a NIST-approved standardized self-attestation form before using any vendor’s or third-party software, including software renewals and major version changes. It also sets new deadlines for federal agencies with regards to their software inventory processes, communication and attestation processes, as well as organizational training needs. The memo further calls on the Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) to help develop a program plan for a government-wide central repository where software attestations and artifacts can be stored with mechanisms for information protection and sharing among federal agencies.
“By strengthening our software supply chain through secure software development practices, we are building on the Biden-Harris Administration’s efforts to modernize agency cybersecurity practices, including our federal zero trust strategy, improving our detection and response to threats, and our ability to quickly investigate and recover from cyberattacks,”2 stated the Federal CISO and Deputy National Cyber Director, Chris DeRusha.
“Following the recent rise of cyber-threats and an increased scrutiny of software supply chains, this memorandum comes at a crucial time for federal agencies and critical infrastructure departments” stated Yoav Raiter, CEO of Cybeats. “Cybeats applauds this memorandum and we will continue to put our efforts towards supporting the development of best practices for software supply chain intelligence and security.”
The National Institute of Standards and Technology have released a Secure Software Development Framework (SSDF) on recommendations for mitigating the risk of software vulnerabilities. The SSDF Framework provides a core set of high-level secure software development practices that can be integrated into each SDLC implementation. The Framework highlights that “following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences, and to foster communications with suppliers in acquisition processes and other management activities.”3