This is the nineteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through October 2022. This blog describes key actions taken to implement the Cyber EO during November 2022.
I. CISA, NSA, and ODNI Release Software Supply Chain Security Guide for Customers
On November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third in a series of recommended practice guides for securing the software supply chain (the “Customer Guide”). The first practice guide in this series – published in September 2022 – was for software developers, and the second – published in October 2022 – was for software suppliers. Each of the three guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.
The Customer Guide identifies key supply chain security objectives for software customers (acquirers) and recommends several broad categories of practices to achieve those objectives including security requirements planning, secure software architecture, and maintaining the security of software and the underlying infrastructure (e.g., environment, source code review, test). For each of these practice categories, the guide identifies examples of scenarios that could be exploited (threat scenarios) and examples of controls that could be implemented to mitigate those threat scenarios.