The US government is in the process of revamping its cybersecurity policies. This includes the release of Secure Software Development Framework (SSDF) version 1.1 by the National Institute of Standards and Technology (NIST), which aims to reduce security vulnerabilities across the Software Development Life Cycle (SDLC).
The document provides software vendors and acquirers with “a core set of high-level secure software development practices that can be integrated into each SDLC implementation.”
An initial draft framework was published in September 2021, followed by the final version in February 2022, which contained only minor updates. The SSDF combines best-practice recommendations for SDLC security while remaining customizable and sector-agnostic.
It is not a document that prescribes fixed methodologies for each practice. Instead, it’s focused on outcomes rather than specific tools, techniques, and mechanisms. The SSDF promotes a risk-based approach, where organizations are encouraged to consult references and other resources to determine what practices are relevant to their operations and how they should be implemented.
The SSDF includes recommendations in the following areas:
- Ensuring an organization’s people, processes, and technology are prepared for secure software development
- Protecting all software components from tampering and/or unauthorized access
- Releasing secure software with minimal security vulnerabilities
- Identifying any vulnerabilities post-release and responding appropriately
Recommendations quickly become directives
In partnership with the private sector, NIST was directed to create the SSDF by Executive Order 14028, “Improving the Nation’s Cybersecurity.” The order also directs the Office of Management and Budget (OMB) to, within 30 days of issuance, “take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of this order.“
On March 7th, 2022, the OMB released a statement that included the following, “Federal agencies must begin to adopt the SSDF and related guidance effective immediately, tailoring it to the agency’s risk profile and mission.”
Therefore, while the SSDF is a list of recommendations, it must be followed by all organizations supplying software to the US government. While not a legal requirement for all software development, the SSDF still represents a considerable step in US cybersecurity policy.
With the U.S. government’s spending power, as a massive consumer of external software, it is assumed these recommendations will filter through to the rest of the industry, becoming the norm for software development in the U.S. As a result, any organization considering applying for U.S. government contracts must learn how to adhere to the SSDF, and any organization looking to operate successfully in the U.S. will likely need to comply as well.
OMB Memo on cybersecurity priorities
The SSDF is not the only new development in U.S. cybersecurity policy. The U.S. government recently asked agencies to emphasize new priorities, including implementing a zero-trust approach and modernizing legacy IT systems.
Following on from Executive Order 14028, the OMB and the Office of the National Cyber Director (ONCB) released a memo on July 22nd, 2022, outlining the U.S. government’s cross-agency cyber investment priorities for budget submissions in the fiscal year 2024.
It outlines three priorities Federal Civilian Executive Branch (FCEB) agencies should invest in. The OMB and ONCD will review each agency’s response and provide feedback to ensure “priorities are adequately addressed and consistent with the overall cybersecurity strategy and policy—aiding agencies’ multi year planning through the regular budget process.“
The three priorities for cyber investment are:
#1: Improving the defense and resilience of government networks
The memo asks FCEB agencies to prioritize zero trust implementation and IT modernization.
The zero trust security model describes the implementation of IT systems where every user or device is not trusted by default. Typical architectures verify once, then allow users or devices access to the network. In contrast, zero trust architectures verify anything and everything within the system.
The Federal Zero Trust Strategy is outlined in its own OMB memo, released on January 26th, 2022. The strategy requires all government agencies to reach specific zero trust goals by the end of the 2024 fiscal year.
It hopes to “achieve a consistent enterprise-wide baseline for cybersecurity grounded in principles of least privilege, minimizing attack surface, and designing protections around an assumption that agency perimeters should be considered compromised.”
This is an important shift for government agencies—moving forward, they are required to analyze all the software they use (whether built internally or sourced from an external vendor) to ensure it meets zero trust security requirements.
IT modernization refers to the considerable number of legacy systems government agencies utilize and the technical debt they incur. Budget submissions for 2024 “should prioritize technology modernizations that lead with security integrated during the design phase, as well as throughout the system life cycle.”
- Accelerating the adoption of secure cloud infrastructure that leverages zero trust architecture
- Deploying federal shared products, services, and standards to empower safe customer experiences
- Using shared security technologies and engaging with the Department of Homeland Security’s Continuous Diagnostics and Mitigation program
- Sharing awareness between security and IT operations teams
- Using Agile development practices and integrating the SSDF
#2: Deepening cross-sector collaboration in defense of critical infrastructure
Protecting against modern cyber threats will require considerable collaboration between the private and public sectors. The OMB is asking the FCEB to build partnerships by prioritizing Sector Risk Management Agency (SRMA) responsibilities and sharing information through cybersecurity centers.
Agencies must prioritize building methods and mechanisms that facilitate collaboration with critical infrastructure owners in order to mitigate potential threats. SRMAs should also provide budget requests that “reflect adequate resources to fulfill their responsibilities under section 9002 of the National Defense Authorization Act of 2021.” Specifically, submissions must:
- Allow SRMAs to collaborate closely with the Cybersecurity and Infrastructure Security Agency (CISA) and other SRMAs
- Enable government and industry to exchange information
- Improve the understanding of national security risks for each sector
#3: Strengthening the foundations of our digitally-enabled future
The final priority asks FCEB to prioritize the physical infrastructure, human capital, and supply chain risk as more of the U.S. economy undergoes digital transformation.
- Physical infrastructure
The recent Infrastructure Investment and Jobs Act (IIJA) represents a huge investment by the U.S. government. The OMB is asking FCEB agencies to support any efforts to secure infrastructure from cyber attacks. This includes developing cybersecurity standards and providing technical support for new projects.
- Human capital
To counter cyber threats, agencies are encouraged to invest in IT talent and new tools that promote digital competency across the wider workforce.
- Software supply chain risk
Software supply chain security is becoming a growing cybersecurity risk. As a result, federal agencies are currently required to establish Supply Chain Risk Management (SCRM) initiatives during acquisitions, especially for those in information and communications technology and services (ICTS). While this requirement is set to expire at the end of 2023, there is legislation pending that will extend it to 2026.
Agencies are expected to sustain last year’s SCRM investments and target new resources. Beyond building the federal government’s acquisition capabilities, the government also plays a significant part in addressing the national ICTS supply chain risk.
OMB’s memo states, “In FY 2024 Budget submissions, agencies should highlight investments that support a national effort to mitigate undue or unacceptable levels of risk to economic security and national security of the United States.” This includes investments concerning Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain.”
U.S. cybersecurity policy is moving fast; are you equipped to keep up?
With growing cybersecurity demands, software development companies looking to operate in the U.S. must ensure they can successfully adapt to the new guidelines.
The SSDF has already come into effect, and organizations need to learn the new software development guidelines they are expected to follow. The SSDF promotes a range of measures that reduce exposure to vulnerabilities and unauthorized access throughout the SDLC while also encouraging transparency. This includes:
- Validating artifacts
- Digitally signing artifacts
- Tracking files for changes and generating evidence
- Validating every component within the final software artifact
The latest OMB memo on cyber investment priorities not only reemphasizes the adoption of the SSDF, but also lays out a range of priorities for government agencies. The most significant one for software developers is the implementation of zero trust architecture across the software the FCEB uses. This memo comes into effect in 2024, so organizations needing to adapt their products don’t have a lot of time to get ready.
While the new requirements outlined by the OMB memo only apply to organizations looking to procure contracts with FCEB agencies, the direction of travel suggests new cybersecurity guidelines will likely be adopted for all federal contractors, as outlined in Executive Order 14028.
Organizations that are slow to adapt risk missing out on business from the U.S. government and potentially other U.S. clients. Now is the time to implement a zero trust security model and learn the SSDF best practices.
The U.S. government is showing significant forward movement when it comes to cybersecurity policy. With the SSDF already being enforced and new OMB cyber priorities coming into effect in 2024, organizations looking to continue operating in the U.S. have multiple new guidelines to learn and comply with.