New federal cybersecurity regulations have arrived, and any software provider who wants to do business with the U.S. public sector will have to abide by them.
How we got here
Following the Colonial Pipeline hack in 2021 that caused public panic, hindered energy production and revealed holes in the cybersecurity of critical infrastructure, President Biden signed an Executive Order meant to strengthen cybersecurity across the country. One of its specific provisions was to order the National Institute of Standards and Technology (NIST) to develop regulations standardizing certain features of software designed to protect entities from cyberattacks.
This year, the Office of Management and Budget (OMB) drafted a memorandum detailing how it was going to enforce the regulations provided by NIST.
Breaking down the OMB memo
OMB now mandates that software products sold to the federal government abide by certain standards to prevent events such as the Colonial Pipeline hack and other major cybersecurity breaches from happening again. This includes software and any product that utilizes software in some fashion, whether it's firmware, applications, application services or operating systems.
The overlying purpose of the new regulations is to improve transparency between the software developer and the government. Before a sale can occur, the developer must be able to demonstrate how their product will affect the cybersecurity of the agency.
One of the new regulations software companies must follow is providing a Software Bill of Materials (SBOM) with their products. This is described by the National Telecommunications and Information Administration (NTIA) as "a nested inventory for software, a list of ingredients that make up software components." The benefits of SBOMs are numerous and include reducing compliance and security risks as well as costs.
How software developers can provide proof of compliance
Software providers, in addition to providing an SBOM, also have to offer "self-attestation" to agencies they sell to. This is a document demonstrating before the software is used that secure practices are being abided by. Another term for the "self-attestation" document is the supplier's declaration of conformity (SDoC).
If for whatever reason an agency decides a self-attestation document by itself is insufficient proof of quality, other pieces of evidence may also be required. The SBOM can serve as this proof, for instance. Alternatively, the developer can explicitly identify which practices they're following that are designed to lessen vulnerability and risk. In some cases, an agency might want a Plan of Action & Milestones (POA&M) that demonstrates quality.
Not everyone is happy with the new regulations, however. The Information Technology Industry Council wants the White House to provide greater clarification, saying they can't follow the new regulations as they are now without added detail.
This is just the beginning
With cyberthreats constantly evolving, growing increasingly more sophisticated and deadly, it seems likely that the OMB memo won't be the end of regulations meant to improve cybersecurity efforts. However, these are reactionary measures in response to threats that have already occurred. To ensure that U.S. infrastructure isn't compromised again, the ultimate goal needs to be a proactive rather than reactive approach to cybersecurity, with changes happening in anticipation of new cyberthreats. The new regulations are a start, but they are by no means an end-all solution.