Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience
By Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director
The Biden-Harris Administration is committed to delivering a Government that works for all Americans – and technology powers our ability to do so. In order for Federal agencies to provide critical services, information, and products to the American people, they need access to secure and reliable software that manages everything from tax returns to veteran’s health records.
That’s why today, building on the President’s Executive Order on Improving the Nation’s Cybersecurity, the Office of Management and Budget is issuing guidance to ensure Federal agencies utilize software that has been built following common cybersecurity practices.
Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised. With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.
This is not theoretical: foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure. In 2020, a number of Federal agencies and large corporations were compromised by malicious code that was added into SolarWinds software. This small change created a backdoor into the digital infrastructure of Federal agencies and private sector companies. This incident was one of a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector.
In response to these threats, President Biden signed a historic Executive Order to ensure Federal agencies implement rigorous, modern cybersecurity protections for our systems and data. Part of this shift includes the release of today’s guidance, which will ensure that millions of lines of code that underpin Federal agencies’ work are built with industry security standards in place. The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.
By strengthening our software supply chain through secure software development practices, we are building on the Biden-Harris Administration’s efforts to modernize agency cybersecurity practices, including our federal ‘zero trust’ strategy, improving our detection and response to threats, and our ability to quickly investigate and recover from cyber-attacks. It is part of a larger enterprise cybersecurity and information technology (IT) modernization plan that ensures we can deliver a simple, seamless, and secure customer experience.
The guidance released today will help us build trust and transparency in the digital infrastructure that underpins our modern world and will allow us to fulfill our commitment to continue to lead by example while protecting the national and economic security of our country.