Author: Janet Jones, Co-Chair M3AAWG
Executive Order 14028 (EO), Improving the Nation’s Cybersecurity, mandates “bold changes and significant investments” to help protect against malicious cyber threats. The EO emphasizes that “cybersecurity requires more than government action”, requiring “the Federal Government to partner with the private sector”. It also states “the private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”
With the importance of private sector partnership and subsequent downstream dependencies of the EO, M3AAWG is educating the member community and is supporting it by incorporating in ongoing online anti-abuse global initiatives.
During a recent member Engagement Series event, M3AAWG had the opportunity to host Mr. Kevin Stine, Chief Cybersecurity Advisor and Associate Director in NIST’s Information Technology Laboratory, to discuss NIST’s responsibilities outlined in the EO, provide progress, insights for the online anti-abuse community, and next steps.
Among other things, Section 4 of the Executive Order (EO) directs the Secretary of Commerce, through NIST, to consult with federal agencies, the private sector, academia, and other stakeholders in identifying standards, tools, best practices, and other guidelines to enhance software supply chain security. Those standards and guidelines will be used by other agencies to govern the Federal Government’s procurement of software. The EO also directs NIST to initiate two labeling efforts related to the Internet of Things (IoT) and software to inform consumers about the security of their products.
Relevant software is defined as:
- designed to run with elevated privilege or manage privileges
- has direct or privileged access to networking or computing resources
- controls access to data or operational technology
- performs a function critical to trust
- Or, operates outside of normal trust boundaries with privileged access
Practically, these include operating systems; web browsers; endpoint security; network control, protection, monitoring and configuration; operational monitoring and analysis; remote scanning, access and configuration management; and backup/recovery and remote storage.
The order outlines protection objectives, including protecting software from unauthorized access and usage; protecting data; detecting, responding and recovering from threats and incidents; and strengthening the human aspect of security.
The order also directs NIST to provide minimum standards for testing and verifying software and to publish guidelines for software supply chain security. The latter includes secure development, maintaining trusted source code, checking for and remediating vulnerabilities and disclosing vulnerabilities. Much of these have been in progress by NIST and other groups with public input. The order also addresses attesting to integrity and provenance of third-party software used in products.
With the explosion of IoT connected devices, the order also addresses security issues and software development for this huge category of products, as well as the development of a consumer labeling program.
NIST has major milestones coming up between February - May 2022 to provide guidance for enhancing Software Supply Chain Security as mandated in Section 4 of the EO.
M3AAWG appreciates the leadership role NIST took on to drive important changes to help improve the nation's cybersecurity, in partnership with industry, and will continue to incorporate appropriate guidance in online anti-abuse best practices and global initiatives with members and partnering communities. Best practices and other M3AAWG publications can be found at https://www.m3aawg.org/published-documents.
A short video discussing the order also can be found at https://youtu.be/hQv2sJVxPLM
Stay up to date with the latest updates, information, and how to engage here https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity and by following NIST on Twitter @NIST and @NISTcyber and on LinkedIn at https://www.linkedin.com/company/nist/.
Send input and questions to swsupplychain- eo@nist.gov
Work with the NIST National Cybersecurity Center of Excellence (NCCoE): https://nccoe.nist.gov