U.S. Office of Management and Budget Directive: Federal Agencies Have 60 Days to Identify Critical Supply Chain Software

The M-21-30 OMB memo directs executives to catalog critical software assets in the next 60 days and, over the next year, implement the first phase of the guidance. The end game is to make the software supply chain more secure and protect the use of software in all operating environments, including cloud. The memo points to National Institute of Standards and Technology (NIST) guidelines to define “critical software;” the required cybersecurity measures needed in a multi-phased approach; and detailed instructions on how to best comply under the following timelines:

What’s Missing? Speed, Sticks, Vendor Requirements and Testing

If you read the memo thoroughly and were left thinking something is missing, you’re not alone. In my view, OMB should be pushing for results much faster. Consider how much the threat landscape changes every week. A year from now we’ll be dealing with new challenges not yet imagined. We must get ahead of it, not further behind. Here are some things to consider:

First, cataloging critical or even operational software assets should be a straightforward task that is already part of any federal agency’s cybersecurity plan and audit process. Also, where is the stick? What happens if a federal department or agency doesn’t meet the deadlines … aside from a chance they’ll get breached?

Second, government entities are not the only culpable party here. Yes, they must ensure they purchase software from reputable supply chain vendors, but where is the focus on the vendors?

Software vendors for the federal government should be required to assure provenance and provide evidence and artifacts that their software has been thoroughly tested and validated against vulnerabilities. Perhaps another third-party independent validation and certification is in order. Vendors might complain about the extra cost, time to market etc., but the impact would be far less than if a breach is caused by their software.

Third, just because software complies with guidance from NIST, the Federal Informational Security Act (FISMA), the Federal Risk and Authorization Management Program (FedRAMP), Federal Informational Processing Standards (FIPS) and Common Criteria today doesn’t mean it’s secure tomorrow. Sophisticated red team testing can identify vulnerabilities before attackers do. This should be part of the guidance.

A Few Final Thoughts

Time is a critical variable in the cybersecurity defense conversation. Assuming you subscribe to the idea that to stay ahead of the adversary, you must adapt in near real time to the threat of the day. The latest OMB directive is good to see; yet, it doesn’t keep the government on par with the speed of adversaries.

But, let’s end with some good news. Awareness is growing all the time. Measures like those laid out in the White House Executive Order on Improving the Nation’s Cybersecurity, which requires a Zero Trust architecture, help move us closer to where we need to be. Time is of the essence, so if you’re still on the sidelines when it comes to implementing Zero Trust, get in the game now.