- Executive Order 14028 (May 2021) directs federal agencies to dramatically improve cybersecurity. Software supply chain security, zero trust, and incident reporting.
- Software vendors selling to the federal government must demonstrate secure software development practices aligned to NIST SSDF (SP 800-218) and provide a Software Bill of Materials (SBOM).
- The EO drives Zero Trust Architecture adoption across federal agencies, with implications for any organization providing IT services or software to the government.
- Critical software definition expanded scope to include identity, privileged access management, network protection, endpoint protection and vulnerability scanning tools.
- Implementation flows through OMB memoranda, including M-22-18 (software supply chain) and M-22-09 (Zero Trust strategy).
What Is EO 14028?
The CISA Secure Software Development Attestation Form contains the same attestation requirements as the NASA Secure Software Development Attestation Form and the US Department of Transportation (DOT) Attestation Form. Even the General Services Administration (GSA) has its own software attestation form. All require attestation for Secure Software Development Practices (SSDP) from EO 14028.
Are you willing to sign this off on behalf of your organization?
"On behalf of the above-specified company, I attest that, to the best of my knowledge, [software producer] presently makes consistent use of the following practices, derived from the secure software development framework (SSDF), in developing the software identified in... [EO 14028]" To legitimately attest, this requires an organization to have clear evidence of due diligence and due care of its development practices. This is both at the organization level and for its developers.
EO 14028 Secure Software Development Practices (SSDP) Requirements
The following SSDP requirements are applicable to EO 14028, Sec. 4. Enhancing Software Supply Chain Security requirements from EO 14028 include:
- (A) using administratively separate build environments.
- (D) documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software.
- (F)(ii) generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i) of this section.
- (F)(iii) employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code.
- (F)(iv) employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.
- (F)(v) providing, when requested by a purchaser, artifacts of the execution of the tools and processes described in subsection (e)(iii) and (iv) of this section, and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated.
- (F)(vi) maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.
- (F)(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.
- (F)(viii) participating in a vulnerability disclosure program that includes a reporting and disclosure process.
- (F)(ix) attesting to conformity with secure software development practices.
- (F)(x) ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.
Gold Standard For Secure Development
National Institute of Standards and Technology (NIST) SP 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, is the "gold standard for secure development" and provides guidelines and recommendations for integrating security into the design and development of systems, applications and services, with a focus on trustworthiness and security. NIST SP 800-160 covers a wide range of topics related to systems security engineering, including:
- The importance of a multidisciplinary approach to systems security engineering;
- The role of risk management in systems security engineering;
- The concept of trustworthiness in secure systems;
- The design and development of secure systems, including the use of secure design patterns and techniques;
- The integration of security into the systems development lifecycle; and
- The role of security testing in the engineering of secure systems.
NIST SP 800-160 is intended to serve as a resource for organizations seeking to design and develop secure systems, and as a guide for professionals working in the field of systems security engineering.
Executive Order (EO) 14028: Enhancing Software Supply Chain Security
Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, is focused on enhancing "software supply chain security" and is essentially a trickle-down set of requirements for Secure Software Development Practices (SSDP).
EO 14028 directs NIST to publish guidance on practices for software supply chain security. EO 14028 Section 4e contains ten (10) subsections, each of which specifies actions or outcomes for software producers, such as Commercial-Off-The-Shelf (COTS) product vendors, Government-Off-The-Shelf (GOTS) software developers, contractors, and other custom software developers. Per the EO, SSDP should be integrated throughout software life cycles for three (3) reasons:
- To reduce the number of vulnerabilities in released software;
- To reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities; and
- To address the root causes of vulnerabilities to prevent recurrences.
NIST SP 800-218 addresses EO 14028 Section 4e from a software producer viewpoint, where the software producers are the entities that implement SSDF practices. EO 14028 Section 4k explains that federal agencies will need to comply with NIST guidelines. In this context, federal agencies are software purchasers, not software producers, so additional guidance from the US Government is needed to address EO 14028 Section 4e from a software purchaser viewpoint. However, when a federal agency (purchaser) acquires software or a product containing software, the agency is required to receive attestation from the software producer that the software’s development complies with US Government-specified secure software development practices.
Protecting The Integrity & Reliability Of Software
Software supply chain security refers to the measures taken to protect the integrity and reliability of software throughout the software development and delivery process. This includes measures to protect against the introduction of vulnerabilities or malicious code into the software, as well as measures to ensure that the software is delivered to the intended recipients in a secure manner. There are several aspects to software supply chain security, including:
By implementing effective software supply chain security measures, organizations can help ensure that their software is as secure as possible and reduce the risk of vulnerabilities and security incidents.
Demonstrating Compliance With EO 14028
It is expected that Federal agencies will request artifacts from the software producer that support its attestation of conformity with the SSDP described in EO 14028 Section 4e subsections (i), (iii) and (iv). With EO 14028, it is specifically targeted at America's supply chain security. This is where it will be nearly impossible for software providers to avoid:
- Implementing Secure Software Development Practices (SSDP); and
- Having the artifacts (e.g., evidence) that the software provider (including its developers and architects) have implemented the SSDP throughout the lifecycle of the applications, service and/or process.
Software providers will invariably be impacted by EO 14028 due to trickle-down requirements. While a software provider may not categorize itself as a "Federal contractor" or a "Defense contractor" since it does not directly sell to the US Government, it will still get caught up in requirements that flow down from its customers that do sell products or provide services to the US Government. This is just the reality of how the Federal Acquisition Regulation (FAR) and Defense Acquisition Regulations System (DFARS) clauses work - those clauses trickle down throughout the supply chain.
Attesting to Conformity with Secure Software Development Practices (SSDP)
NIST defined minimum recommendations for Federal agencies as they acquire software or a product containing software. These recommendations are intended to assist Federal agencies and software producers in communicating clearly with each other regarding secure software development artifacts, attestation, and conformity:
Use the SSDF’s terminology and structure to organize communications about secure software development requirements. This enables all software producers to use the same lexicon when attesting to conformity for federal agencies. Software producers can map their secure development methodology to the SSDF’s secure software development practices or associated informative references.
Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle. With the highly dynamic nature of software today, attesting to how things were and are done on an ongoing basis (processes and procedures) is typically more valuable than attesting to how things were done for a specific software release generated by one instance of those processes. This is especially true for post-release practices such as vulnerability disclosure and response, where processes might not yet have been performed for the latest release.
Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required. First-party attestation is recommended for meeting the EO 14028 requirements. This is consistent with the guidance in NIST SP 800-161 Rev. 1 (Second Draft), which states in Section 3.1.2: “There are a variety of acceptable validation and revalidation methods, such as requisite certifications, site visits, third-party assessment, or self-attestation. The type and rigor of the required methods should be commensurate to the criticality of the service or product being acquired and the corresponding assurance requirements.”
When requesting artifacts of conformance, request high-level artifacts. The software producer should be able to trace the practices summarized in the high-level artifacts to the corresponding low-level artifacts that are generated by those practices. Asking for low-level artifacts for a particular software release is not recommended for meeting the requirements of EO 14028, but may be needed to meet other agency requirements. Reasons for avoiding low-level artifacts include the following:
- Low-level artifacts provide a snapshot in time of only a small aspect of secure software development, whereas high-level artifacts can provide a big-picture view of how secure software development is performed.
- Artifacts should address the needs of the audience receiving them, thus providing the necessary information in a usable format for that audience. Understanding low-level artifacts require the agency to expend considerable technical resources and expertise in analyzing them and determining how to consider them within the context of the broader secure software development practices.
- Low-level artifacts often contain intellectual property or other proprietary information, or details that attackers could use for hostile purposes, so accepting low-level artifacts gives the agency additional sensitive information to protect. These minimum recommendations apply to attestation for all software within the scope of this guidance procured by federal agencies and they should be part of each agency’s processes. The recommendations are not intended to replace more stringent requirements for secure software development that federal agencies may have.