The National Security Telecommunications Advisory Committee (NSTAC) – a group of private sector experts that advises the White House on telecom availability and reliability issues – has drafted several recommendations for the Biden administration including one to establish a task force for software assurance in information and communications technology and services supply chains.
Recent software supply chain compromises highlight critical risks and large-scale ramifications for industry and the government. The exploitation of software products on sensitive systems can significantly impact national security and emergency preparedness missions, and President Biden’s executive order to improve the nation’s cybersecurity has provided valuable direction and a framework for the Federal government’s cybersecurity efforts.
But given the increasing use of and dependence on software in critical infrastructure, the committee said several areas are ripe for urgent action, including software assurance, stakeholders, and external influencing factors.
“To address these areas, the President should establish a task force charged with defining a public-private initiative focusing on key areas of software assurance and the software supply chain,” the report says.
The committee offered several recommendations to address these focus areas, including Federal investment in research and development for software assurance to keep up with advances in computing architectures, incentivizing engagement among all stakeholders in software assurance programs, and creating a task force to define viable incentives to support assurance practices in the highly diverse software ecosystem.
The NSTAC also believes that much like the earlier public-private effort on the NIST Cybersecurity Framework, such an initiative can address fundamental misalignment of incentives, diversity of the assurance approaches, and complexity of the software supply chain. An effort of this nature “can translate the urgent need for action into an implementable framework,” the report states.
The NSTAC also recommended that an industry-heavy group at the Department of Homeland Security participate in agencies’ application of guidelines tailored to specific sectors under the cybersecurity executive order. In addition, the report calls for a focus on identifying and supporting security for the open-source code libraries that often are used to create critical software.
The NSTAC was scheduled to meet with senior White House cybersecurity officials today to vote on the draft report. National Cyber Director Chris Inglis, Cybersecurity and Infrastructure Security Agency Director Jen Easterly, and National Security Council Cybersecurity Policy Chief Jefferey Greene were expected to participate in this meeting.