White House guidance on third-party software seen as a major test of cyber risk strategy

The Biden administration took a major step toward putting the president’s 2021 Executive Order into action last week by issuing new guidelines around the use of third-party software by federal agencies.

The White House software guidance looks to get assurances from software producers that they are screening their software for vulnerabilities and integrity of the code before those products are downloaded into government systems.

The hope is if software developers can, at a minimum, adhere to guidelines developed by the National Institute of Standards and Technology, federal agencies will have some assurances that third-party software will have a minimum standard of integrity that reduces the risk of compromise from malicious actors.

“With the number of threats targeting federal agencies growing, guidance to ensure that federal agencies are protected against both internal and external threats is critical,” Kevin Orr, president of RSA Federal, said via email. “This means that federal agencies need to look at both threats residing within their infrastructure as well as potential threats introduced by third-party suppliers.”

Gartner found anywhere from 40% to 80% of the lines of code in new software comes from third parties, which include runtime, libraries, components and SDKs.

The majority of the code stems from a wide range of open-source projects, while the remaining code comes from third-party providers that generally don’t provide any amount of transparency into the quality of the software.

The guidance calls for software producers to provide a software bill of materials (SBOM) to the federal agencies they are contracted with to ensure the software is checked for code integrity and is properly screened for vulnerabilities.

“Access to SBOMs will provide the information organizations — government and commercial — need to begin the process of both understanding and evaluating the software they’re acquiring,” Dale Gardner, senior director analyst at Gartner, said via email.

Supply-chain attacks based on compromised code has become a more frequent threat in recent years. During the SolarWinds supply chain attack, discovered in 2020, a Russia-linked threat actor poisoned the company’s Orion IT monitoring platform, which compromised at least nine federal agencies and more than 100 private sector firms.

“This incident was one of a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of government services to the public, as well as the integrity of vast amounts of personal data and business information that is managed by the private sector,” Chris DeRusha, federal CISO and deputy national cyber director, said in a blog post announcing the guidelines last week.

However, Yotam Perkal, director of vulnerability research at Rezilion, argues the software guidelines issued by the Office of Management and Budget need more robust solicitation requirements around the option of SBOMs. Software dependencies change over time, and self-attestation only provides a snapshot of the security of the relevant software dependencies being used.

“Unless the SBOM is provided per version, or the entity consuming the product has some way of generating updated information when a vulnerability like Log4Shell surfaces, organizations will still struggle to understand whether or not they are affected,” Perkal said in a statement.