The New Mandate To Harden Government Software

America’s infrastructure vulnerability is growing—here’s how the public sector is ratcheting up its cybersecurity efforts.

Labeled as one of the most disruptive ransomware attacks in history, last year’s Colonial Pipeline attack resulted in the exfiltration of over 100GB of data in a matter of hours, $4.4 million in ransom paid, and up to 71% of gas stations without fuel in some areas along the East Coast.

This attack brought attention to how strikingly vulnerable America’s infrastructure is. In its wake, steps are being taken to improve the security of critical government services, starting with software accountability.

The benefits of a more connected world are undeniable: Technology reduces barriers to information, increases efficiency in critical areas like healthcare, and allows businesses to reach and better serve more customers. But in the age of mass digitization, each connection comes with the risk of vulnerability—a weak link in controls, software, or other connected systems that cybercriminals can attack, exploit, and even control.

The approach to addressing these security challenges in highly regulated industries needs to be precise. This means a blend of cutting-edge technology from leading security vendors, preferably a zero trust model, visibility into the origin of all software used in a given organization, and end-user cyber hygiene to avoid threats like phishing.

Government drops the SBOM

In May 2021, President Biden issued a cybersecurity executive order that calls for all software vendors that do business with government agencies to include a “software bill of materials” (SBOM). An SBOM is simply a detailed inventory of each software component used to create a given tool, program, operating system, etc.

The executive order is an effort to make the government more resilient to threats and is crucial to keeping government data safe—whether it’s classified information or, in the case of agencies like the DMV, civilian data.

Like the use of open-source code in software development, the executive order attempts to make SBOMs far-reaching and ubiquitous. All public agencies, regardless of size, will have to comply with the new standards—as will the developers, contractors, and private software companies that partner with these agencies.

The SBOM evolution

Federally mandated “ingredient” disclosures are not new and have existed for decades concerning physical, material products. In fact, SBOM attestations already exist in highly classified software solutions and private organizations with high-level security certifications such as FedRAMP and Impact Level 4.

The executive order is an evolution of the current Vulnerability Exploitability eXchange (VeX), which details if vulnerabilities can affect a software-driven tool and, if so, the recommended actions to remediate it. The difference between this and the impending directive is that VeX doesn’t require a complete SBOM.

The SBOM framework was conceptualized in 2018 as an effort by the National Telecommunications and Information Administration to safeguard government agencies from advanced attacks and code vulnerabilities buried in open-source software used by almost all developers.

Beyond “handshake” compliance

Currently, at the state or unclassified level, software development relies on service-level agreements, which boil down to “handshakes” and checkboxes stating that the software meets the security standards of the requesting agency. In contrast, the executive order will require the requesting agency to prove that all code used to create a piece of software is secure, requiring unmitigated visibility into the security and vulnerability of a solution.

One of the most powerful ways to safeguard against these threats is accountability, which starts at the code level.

Government agencies aren’t the only institutions preparing for the implementation of this executive order. Major players in the software industry, whose solutions are often applied to various government-specific use cases, are investing heavily in obtaining classified certifications required to partner with federal and state agencies.

Government examples aside, these vendors are building increased visibility, auditing, and vulnerability discovery into their software because their civilian partners also face the same threats as the public sector: ransomware, command and control, exfiltration, and lateral movement. One of the most powerful ways to safeguard against these threats is accountability, which starts at the code level.

Infrastructure and supply chain attacks are one of the biggest threats a nation can face. Although the process is complex, preventing cyber threats begins with visibility into potential vulnerabilities, regardless of their origin. This executive order pushes government agencies to take a proactive approach to security by identifying vulnerabilities before they are exploited—something more critical now than ever.

Pairing this accountability with cutting-edge tools provided by the private sector will keep critical infrastructure running—and out of the headlines.