What the Cybersecurity Executive Order Means for Software Supply Chain Security
Here’s what to expect and what you can do.
Recently, President Biden signed the much-anticipated Executive Order (EO) on cybersecurity, which declared that the “prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” The EO is clearly intended to address the issues that resulted in recent major cyber incidents such as SolarWinds, Microsoft Exchange and the Colonial Pipeline.
One important aspect of the EO is its focus on improving software supply chain security, which is a welcome and necessary step in the right direction. Here’s just some of what the new EO calls for, and what you can expect as a result:
Baseline security standards
The EO places responsibility on the director of NIST to determine and publish guidelines and best practices for enhancing software supply chain security. Federal agencies—as well as the private companies they do business with—will be required to adopt these standards to ensure software supply chain security. Eventually, we can expect that the Office of Management and Budget will enforce these standards to ensure that agencies comply.
Enhanced information sharing
The EO addresses barriers to information sharing before and after cyber incidents by requiring IT providers that sell to the government to promptly report breaches and cyber threat information. Doing so allows the federal government to prevent breaches, respond when they occur and share broadly to protect Americans. We can expect that language for contracting with IT and OT service providers will be updated accordingly to ensure that any barriers to sharing such information are removed.
Consumer labeling program
The EO calls for an Energy StarTM-like labeling program indicating that supply chain software and IoT devices were developed securely. The idea is to create a distinguishable mark of quality and confidence for software that the government and public can recognize at a glance. At the same time, it’s expected that this move will reward more secure companies with better recognition in the marketplace.
Steps for prevention and preparation
One way to possibly foresee a breach caused by third-party software is to look for degrading security posture of third-party software providers over time, which can be a tell-tale clue that something is amiss.
It’s also important to take steps to prepare your organization for a possible third-party breach, which will help with response, remediation and recovery. Such steps should include mapping vendors, identifying important assets and reducing third- and fourth-party security risk.
This can be accomplished by automating, accelerating and scaling customers’ third-party security evaluation and management process. Doing so enables easy collaboration and communication between companies and suppliers, resulting in efficient and effective risk remediation in alignment with a company’s security policies and risk appetite.
Want to learn more about how to prepare for and respond to a supply chain breach? Download our Third-Party Incident Response Playbook.