As of September 14, the White House released M-22-18, a memorandum for the heads of executive departments and agencies. This newest executive order continues to focus on Improving The Nation’s Cybersecurity specifically on the security and integrity of the software supply chain and the importance of secure software development environments.
Almost every organization relies on technology, and vulnerabilities or threats within technology supply chains can allow attacks to compromise that technology before it is ever delivered to the customer. ThrottleNet can assist with securing your infrastructure.
What Are Some Of The New Requirements?
In order to reduce the likelihood of cyberattacks, Executive Order 14028, Improving the Nation’s Cybersecurity, is implementing security protections. The first of those protections is discussing the role of firmware in software and ensuring that applications and operating software are secure.
Software integrity is the practice of ensuring that software code has not been tampered with, remains unaltered, and follows risk-based approaches to deliver secure software. By validating software integrity, an organization can be sure that the code they are running is the code that was originally intended. “Software” may also refer to firmware, operating systems, applications, and application services in this memo.
In order to ensure supply chain security, the White House has directed the NIST framework to develop guidance for validating the integrity of software code used in systems that handle Federal information. The National Institute of Standards and Technology (NIST) is a federal agency that develops and maintains standards for technology, including cybersecurity. This guidance will help Federal agencies and their contractors ensure that the software they use has not been tampered with and remains unaltered.
As part of supply chain security, the White House has directed NIST to develop guidance for self-attestation. Before an organization can use a given software, the producer of that software must provide documentation saying that they conform to the NIST guidance. It is important to note that this self-attestation is the minimum level required. Organizations may also be required a third-party assessment based on the criticality or risk of the system.
This guidance will help Federal agencies and their contractors ensure that the companies they do business with are complying with those requirements.
Who’s Affected By This Executive Order?
This memo specifies a few parties this will affect:
1. Federal Agencies
2. Contractors of Federal Agencies
3. Manufacturers, Developers, and Suppliers of Covered ICTS
4. Service Providers for Covered ICTS
5. Users of Covered ICTS
If you belong to any of the groups listed above, it’s important to be aware of the new requirements for supply chain security. Make sure that you are taking steps to ensure the integrity of the software code used in your systems.
How Soon Should I Comply?
The memo states that NIST will develop the guidance for self-attestation and software integrity within 120 days.
“Within 90 days of the date of this memo [dated on September 14th] agencies shall inventory all software subject to the requirements of this memorandum, with a separate inventory for ‘critical software.”, it reads.
Agencies must collect their attestation letters within 270 days after the memo is published. Extensions and waivers may be requested, please see here for more details on requirements and how to obtain them.
Prepare with ThrottleNet & Keep The Supply Chain Secure
The guidance is still in development, but you should be taking proactive measures to ensure that your systems are secure and meet compliance requirements. Our team of cybersecurity experts at ThrottleNet can help get your organization on track with meeting NIST guidelines and protecting your infrastructure.
Don’t wait last minute and start preparing day for these new compliance regulations and keep the supply chain secure with managed security services and NIST consulting. Contact ThrottleNet today to get started.