The President’s Executive Order 14028, titled Improving the Nation’s Cybersecurity, commanded the public and private sectors to enhance the security and integrity of the software supply chain. The initiative seeks to help identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated malicious cyber campaigns.
What does this mean for your organization, and how can you leverage these guidelines to enhance your software supply chain security?
It commanded the private sector to partner with the Federal Government to protect the Nation from malicious cyber actors, adapt to the continuously changing threat environment, ensure products are built and operate securely, and ultimately foster a more secure cyberspace.
This includes systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).
The EO went on to assure that the prevention, detection, assessment, and remediation of cyber incidents is a top priority for the Administration, and essential to national and economic security.
This EO is one more step in the right direction to deal with nation-state supply chain attacks. Recent attacks, such as those suffered by Colonial Pipeline, Kaseya, SolarWinds, or Log4j have brought the topic of supply chain security to the front pages, and to the board agenda.
The most directly affected sector is that of federal government IT service providers. However, as with previous Executive Orders and regulations, it is expected this will have a cascading effect: from federal contractors to organizations across different industries, as new standards are set and practices are adopted.
As PwC analysts put it:
The private sector, academia, government agencies, and others will cooperate in identifying existing or developing new standards, tools, best practices, and other guidelines to enhance software supply chain security.
Those guidelines, while ultimately aimed at federal agencies, are also available for industry and others to use, including your organization. They cover topics such as criteria to evaluate software security or security practices of developers and suppliers, or innovative tools or methods to demonstrate conformance with secure practices.
Agencies like CISA and NIST have put together these useful resources:
Building a vendor risk management program, or scaling one to be more effective? Read this before you get started.
It compiles the five biggest tips for scaling your program, from mapping to continuous monitoring and analysis, that will save your organization time and resources.