Hogan Lovells

On June 2 and 3, the U.S. National Institute of Standards and Technology (NIST) held a workshop focused on the President’s recent Executive Order on Improving the Nation’s Cybersecurity (Order) during which government officials provided updates on the Order’s implementation and received industry feedback. The workshop focused in particular on the Order’s provisions regarding the security of the software supply chain and defining categories of “critical software” that will be subject to additional security expectations. Legal and cybersecurity leaders across industries tuned in, with the view that the results of these discussions likely would have a lasting impact on organizations even outside the government contracting space.

Executive Order Summary

The President signed the Order on May 12, as part of an effort to modernize the nation’s approach to cybersecurity and protect federal government networks. While focused in large part on shoring up federal agencies’ cyber defenses and incident response capabilities, the Order also instructs federal officials to begin work on reforms to federal procurement policies that would impose new cyber threat information-sharing obligations on government contractors. In addition, the Order envisions new mandatory secure software development standards for companies that develop software used on government networks. The Order is widely understood to be a response to recent high-profile software supply chain cyberattacks, as announced in late 2020 and early 2021, that affected many private and public sector entities.

Goals of the NIST Workshop

Government officials who presented at the workshop underscored NIST’s desire for ongoing and robust engagement with industry leaders as new cybersecurity standards take shape. For instance, Jeff Greene, Acting Senior Director for Cybersecurity on the National Security Council, likened the workshop to early discussions regarding the NIST Cybersecurity Framework, which NIST developed with input from industry and other stakeholders in 2013.

As part of this feedback process, NIST solicited position papers from industry representatives, advocacy groups, academics, and other stakeholders on the Order. The workshop itself consisted of panel discussions and presentations regarding NIST’s near-term and long-term responsibilities under the Order.

Below, we highlight some key takeaways from workshop discussions.

Key Takeaways

1. NIST Plans an Iterative Approach to Define “Critical Software”

The Order prioritizes software supply chain security for “critical” software. The Secretary of Commerce, acting through NIST, is charged with soliciting input from stakeholders regarding the definition of “critical software” as well as finalizing and publishing that definition.

In a presentation at the workshop, Barbara Guttman, NIST Software Quality Group Lead, suggested NIST is considering defining “criticality” based on the following criteria, largely derived from Section 4(g) of the Order:

  • The software runs with elevated privilege on an information enterprise;
  • The software performs a function critical to trust;
  • The software operates outside of the normal trust boundaries for privileged access; or
  • The software has direct and privileged access to networks or the Internet

Industry representatives advocated for NIST to set “a reasonable boundary” beyond which software is no longer “critical.” In response, Jon Boyens, who leads NIST’s Cyber Supply Chain Risk Management (C-SCRM) Program, explained that NIST plans to implement an iterative phased approach to defining “critical software,” beginning with a smaller set of software classes and later expanding to cloud-based and other forms of software. He also stated NIST is developing a “decision methodology” which, much like a checklist, would help software developers identify whether their product offerings fell within the scope of “critical software.”

2. Industry Proposes Baseline Secure Software Development Standards

Under the Order, developers who provide software to federal civil executive branch agencies will be subject to new secure software development standards. NIST is charged with developing such standards and thus solicited feedback on reasonable standards from industry representatives at the workshop.

Industry representatives stressed the need for NIST to pay particular attention to the integrity and provenance of open source code used in the development of software for federal government purchasers as well as to protect software development and build environments. One panelist highlighted the Secure Software Development Framework (SSDF) created in 2020 as part of the May 11, 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (13800), as a helpful and largely comprehensive jumping off point for NIST.

3. CISA Provides an Update on the Modernization of Cybersecurity Policies and Procedures

The Order moves the federal government towards cybersecurity leading practices such as zero-trust architecture and mandates deployment of multifactor authentication and encryption across federal civilian executive branch agencies within 180 days from the issuance of the Order.

Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, remarked that industry plays a key role in developing the tools, capabilities, and services that the federal government will use to “make ‘zero trust’ more than a buzzword.” He also commented that organizations should strongly consider modernizing their own cybersecurity policies and procedures in line with federal best practices.

Specifications regarding additional cybersecurity standards, which will apply to federal agencies rather than the private sector, are expected in the coming months.

4. Initial Minimum Requirements for Software Bills of Materials

As part of its provisions regarding secure software development, the Order directs the Secretary of Commerce, in coordination with the National Telecommunications and Information Administration (“NTIA”), to develop requirements for Software Bills of Materials (“SBOMs”), which developers will be required to provide to government purchasers. SBOMs are defined by the Order as “formal record[s] containing the details and supply chain relationships of various components used in building software.”

At the workshop, an NTIA representative suggested that minimum elements of SBOMs may include, among other items, sources of data fields used in the software as well as the operational context within which the software functions. The public comment period regarding SBOM criteria is open until June 17, 2021.

5. Additional Opportunities for Feedback

The Order assigns additional responsibilities to NIST, including two pilot labeling programs related to software and the Internet of Things to inform consumers about the security of their products. NIST plans to address those programs in other forums. 

What’s Next

Although NIST did not signal any near-term requirements for software developers/providers during the workshop, government representatives repeatedly encouraged engagement with stakeholder groups and actively solicited feedback from industry representatives.

To facilitate these conversations, NIST plans to make available on its website a recording of the workshop, the slide decks used by presenters, as well as copies of the position papers they received in advance of the workshop.

Organizations across industries, and especially those who provide products and services to government agencies, may wish to remain engaged with opportunities for stakeholder feedback, including regarding the scope of “critical software” and future secure software development standards. A broad definition of “critical software” may sweep in many unsuspecting organizations and software developers, and thus organizations are well advised to monitor these developments and assess the implications of any proposed standards on their operations and business.

Baily Martin, a Summer Associate in our Washington, D.C. office, contributed to this entry.

[View source.]