The President’s Executive Order 14028, titled Improving the Nation’s Cybersecurity, commanded the public and private sectors to enhance the security and integrity of the software supply chain. The initiative seeks to help identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated malicious cyber campaigns.
What does this mean for your organization, and how can you leverage these guidelines to enhance your software supply chain security?
It commanded the private sector to partner with the Federal Government to protect the Nation from malicious cyber actors, adapt to the continuously changing threat environment, ensure products are built and operate securely, and ultimately foster a more secure cyberspace.
This includes systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).
The EO went on to assure that the prevention, detection, assessment, and remediation of cyber incidents is a top priority for the Administration, and essential to national and economic security.
This EO is one more step in the right direction to deal with nation-state supply chain attacks. Recent attacks, such as those suffered by Colonial Pipeline, Kaseya, SolarWinds, or Log4j have brought the topic of supply chain security to the front pages, and to the board agenda.
Read More: Understanding Supply Chain Data Breaches in the Aftermath of SolarWinds
The most directly affected sector is that of federal government IT service providers. However, as with previous Executive Orders and regulations, it is expected this will have a cascading effect: from federal contractors to organizations across different industries, as new standards are set and practices are adopted.
As PwC analysts put it:
The private sector, academia, government agencies, and others will cooperate in identifying existing or developing new standards, tools, best practices, and other guidelines to enhance software supply chain security.
Those guidelines, while ultimately aimed at federal agencies, are also available for industry and others to use, including your organization. They cover topics such as criteria to evaluate software security or security practices of developers and suppliers, or innovative tools or methods to demonstrate conformance with secure practices.
Agencies like CISA and NIST have put together these useful resources:
Unpredictable vulnerabilities will be an ongoing concern for security teams inthe foreseeable future.
In this guide you will learn the fundamentals of zero days, patterns from our statistical analysis, and tips to reduce risk and remediate zero days if/when they happen.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|