Site icon

Executive Order 14028 and the Software Supply Chain

With Executive Order 14028’s requirements coming into effect, government agencies and their software partners are looking for ways to meet these stringent requirements. These include managing system security across all potential attack vectors, including those introduced during the development cycle. 

Here, we discuss how the Secure Software Development Framework is a good baseline for approaching the EO requirements. 

What Is Executive Order 14028?

Executive Order 14028 (“Executive Order on Improving the Nation’s Cybersecurity”) is a comprehensive directive aimed at strengthening the aging and underdeveloped cybersecurity defenses of the United States. 

Some of the general requirements and upgrades the EO defines include:

 

How Are Threats Introduced to the Software Supply Chain?

The Biden EO and the Secure Software Development Framework (SSDF) aim to address security issues in software development and close security gaps not covered by typical compliance standards. 

The software supply chain is a long and involved process that includes stages such as:

Because software development is now such an involved and integrated process, the software development cycle is quite vulnerable to attacks, including the following:

 

Aligning Compliance with Executive Order 14028 and the Secure Software Development Framework

The date for achieving the changes required in this EO has already passed, and a significant part of the requirements involves securing software and the software supply chain. Fortunately, NIST provides several approaches to such security–primarily the SSDF as detailed in NIST SP 800-218. This framework provides software developers a blueprint for meeting minimum security requirements during the development lifecycle. 

Some ways these align include:

 

Enhancing Software Supply Chain Security

The order mandates that federal agencies adopt stringent software development and procurement security practices. It requires using Software Bill of Materials (SBOMs) to increase transparency about software components and their origins.

The SSDF provides guidelines for secure software development practices, emphasizing the need for rigorous security controls throughout the software development lifecycle. The SBOM aligns with SSDF’s emphasis on transparency and component security.

 

Establishing Baseline Security Standards

The EO directs NIST to define baseline security standards for software development, including requirements for developers to maintain secure environments and implement secure coding practices.

NIST 800-218 is a foundational document providing these baseline security standards. It outlines specific practices and controls developers should implement to enhance software security, such as secure coding, security testing, and vulnerability management.

 

Adoption of Zero Trust Architecture

The Executive Order calls for adopting a Zero-Trust Architecture across federal agencies, which minimizes implicit trust and continuously verifies the security posture of devices, users, and applications.

While the SSDF focuses specifically on software development practices, the principles of Zero Trust can be integrated into the development process to ensure that software products are designed with minimal implicit trust and robust security verification mechanisms.

 

Improving Vulnerability Detection and Response

The EO requires the implementation of EDR initiatives and enhanced logging practices to detect and respond to cyber threats more effectively.

The SSDF emphasizes the importance of security testing and continuous monitoring as part of the development lifecycle. By integrating EDR and advanced logging, organizations can better detect and address vulnerabilities throughout the software development process.

 

Information Sharing and Transparency

The EO promotes improved information sharing between private and government agencies to enhance collective cybersecurity efforts.

The SSDF supports this by encouraging organizations to document and share security practices, vulnerabilities, and mitigation strategies, fostering a collaborative approach to improving software security.

 

Shore Up Your Software Development with Lazarus Alliance

The timeline for adherence to Executive Order 14028 has passed, and software supply chain security will be paramount for success. If you’re a developer who needs to get their lifecycle and security management up to speed, work with Lazarus Alliance.

To learn more, contact us

[wpforms id=”137574″]

Exit mobile version