The head of the Cybersecurity and Infrastructure Security Agency (CISA) said today that the Federal government has a “powerful” ability to mandate security standards for software vendors through its procurement process.
“A very powerful thing that you have as a government is the procurement power,” CISA Director Jen Easterly said during the GovernmentDX event in D.C. today. “Being able to nudge that in a way where you mandate security standards, that’s incredibly important.”
CISA and the Office of Management and Budget (OMB) released a secure software development attestation form last month, which takes a crucial step towards ensuring Federal contractors provide secure products to the Federal government.
The form – which followed extensive stakeholder and industry engagement – will help to advance a key aspect of President Biden’s 2021 cybersecurity executive order on creating a more secure software supply chain.
The attestation form for software producers is also an integral part of an OMB directive issued in September 2022 that requires Federal agencies to take a range of actions to comply with National Institute of Standards and Technology guidance on software security.
According to OMB, Federal agencies have six months from the form’s finalization to start collecting attestations for third-party software. The attestations for critical software are due on June 8, 2024. Attestations for all other software are due on Sept. 8, 2024.
“In June, the [critical] software attestation form that we worked on with you is going to go out,” Easterly said. “That’s another thing that I would recommend all of our partners look at, which is essentially the baseline cybersecurity standards for software vendors to the government.”
“It’s consonant with work that we’ve been doing which is all about secure-by-design technology,” Easterly said. “You can build, you can operate, you can maintain, but if you’re not securing, at the end of the day you’re not going to be able to operate effectively. And so, these [are] ways of ensuring that companies and governments and application developers are always prioritizing security by design.”
CISA unveiled its secure-by-design guidelines just over one year ago, which aim to outline clear steps that technology providers can take to increase the safety of products used around the world.
“You have to have security by design, because if you have security by design, you naturally have resilience by design,” she continued, adding, “And for something like the government services that all Americans rely upon, you have to have an ability to continue to operate that even in the face of data theft and disruption.”
“That’s what we’re seeing from adversaries because they’re not just focused on espionage, they actually are focused on disrupting and in some cases, corrupting and destroying our networks,” Easterly said. “And so that’s why security and the emphasis and the prioritization and the partnership is so absolutely critical.”