The Biden Administration issued on May 12, 2021, an Executive Order to strengthen the federal government’s cybersecurity defenses against “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”
The order was announced following the DarkSide ransomware attack on Colonial Pipeline, the most recent hack in a series of major cyberattacks including SolarWinds, Microsoft Exchange Server, and Pulse Secure. The EO prompts the government and the private sector to partner in building more secure cyberspace and outlines new cybersecurity standards and requirements for companies collaborating with the federal government.
What we know so far
The executive order establishes a broad series of actions to improve the federal government’s cybersecurity, such as removing contractual barriers to facilitate the sharing of cyber threat information, standardizing the federal government’s cybersecurity vulnerability and incident response procedures, and establishing a “Cybersecurity Safety Review Board” made of public and private-sector officials.
Moreover, the EO solicits government agencies to carry out specific actions in the following months, such as the Director of NIST “to identify existing or develop new standards, tools, and best practices” to evaluate software security and the security practices of developers and suppliers.
The cyber executive order also mandates the deployment of multifactor authentication and data encryption, and zero-trust network access.
“The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
Source: White House
The new regulations aiming to enhance the security of the software supply chain have a clear focus on the software manufacturing process and security testing. The EO requests suppliers to run security tests for known and potential vulnerabilities, disclose such information upon demand, establish secure software development environments, and provide a Software Bill of Materials (SBOM) for each product, directly or by publishing it on a public website.
The Software Bill of Materials is a critical element of the executive order that has gained the attention of the DevOps community. The SBOM’s purpose is to list each component in a given product, including open-source software and third-party components, as a single source of truth and may significantly impact DevOps.
The Department of Commerce and NTIA published on July 12, 2021, a report on the minimum elements for an SBOM, serving as “the foundation for an evolving approach to software transparency.”
The minimum elements for an SBOM
Data Fields: Document baseline information about each component that should be tracked – Supplier, Component Name, Version of the Component, Other Unique Identifiers, Dependency Relationship, Author of SBOM Data, and Timestamp.
Automation Support: Support automation, including via automatic generation and machine-readability to allow for scaling across the software ecosystem. Data formats used to generate and consume SBOMs include SPDX, CycloneDX, and SWID tags.
Practices and Processes: Defining the operations of SBOM requests, generation, and use, including: Frequency, Depth, Known Unknowns, Distribution and Delivery, Access Control, and Accommodation of Mistakes.
What the U.S. Executive Order on cybersecurity means for DevOps
As the federal government establishes a stronger approach to supply chain security, software developers are required to provide proof of the security of their development environment, testing approach, and disclose data regarding the vulnerabilities that impact their systems and security testing results.
For DevOps teams that embrace continuous feedback, this is the moment to shine. Aside from continuous testing and improvement, the SBOM will require assuring the security of all elements, including open source and third-party software, making shifting left a fundamental component of software delivery.
The EO marks a meaningful change in the government’s approach to cybersecurity, from reactive to preventive, that will have a ripple effect on software development at large. Although the order focuses on federal contractors, the industry will gradually adopt the new cybersecurity requirements as a standard practice.