Recently, several developments have been proposed or announced to help identify and mitigate cyber risk for United States critical infrastructure operators and software in an effort to further bolster the cybersecurity posture of the federal government.
In this blog we discuss: (1) a new OMB requirement that federal vendors must attest to a secure software supply chain development process; (2) a bipartisan bill introduced that scrutinizes open source software used by federal agencies and critical infrastructure operators; and (3) a request for information by the Cybersecurity and Infrastructure Security Agency (CISA) regarding forthcoming critical infrastructure regulations.
These measures are primarily targeted at federal contractors and critical infrastructure operators, but likely will have a broader effect as companies reassess their cyber incident policies and the use of open-source components in their products. These measures also build on past initiatives – such as President Biden’s May 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was passed in May 2022 and will require companies that operate critical infrastructure to report certain cyber incidents to CISA.
OMB requires federal vendors to attest to a secure software supply chain
On September 14, 2022 the Office of Management and Budget (OMB) released a memorandum to executive agencies regarding their use of secure software development practices. The memorandum follows Executive Order 14028, Improving the Nation’s Cybersecurity (May 12, 2021), which directed the OMB to require executive agencies to comply with recent guidance from the National Institute of Standards Technology (NIST) on maintaining a secure software supply chain. NIST released its Secure Software Development Framework (SSDF), SP 800-218,3 and the Software Supply Chain Security Guidance in early 2022.
The memorandum requires all federal agencies to comply with the recent NIST guidance when using third-party software, including operating systems, applications, and cloud-based software. Specifically, each agency’s Chief Information Officer and Chief Acquisition officer must require each software producer to self-attest to compliance with the NIST guidance. Agencies can require a third-party assessment if a service or product is determined to be critical. Agencies can also require a “software bill of materials” – the ingredients that make up software components. These attestations are a critical requirement because, should the attestation be false, the company may face False Claims Act liability.
If a company cannot attest to the standard, it must document practices it has in place to mitigate risks and develop a plan of action. The agency may use the software if it finds this alternative documentation satisfactory. The attestations and other documents collected are not to be shared publicly and will eventually be compiled into a government-wide repository.
Agencies are required to inventory their software by December 13, 2022, and communicate the requirements to vendors by January 12, 2023. Agencies are require to collect attestation letters for “critical” software by June 11, 2023 and all other attestation letters by September 14, 2023.
Senators propose bipartisan bill requiring scrutiny of open-source software used by federal agencies and critical infrastructure operators
The Securing Open Source Software Act of 2022 recently passed the U.S. Senate’s Homeland Security and Governmental Affairs committee. The bill was drafted by Chairman Gary Peters (D – MI) and Ranking Member Rob Portman (R – OH) after a February 2022 hearing on the log4j vulnerability.
The bill directs CISA to hire personnel experienced with open-source software so that the agency can assess and mitigate the risks of using open-source code. CISA will then publish (1) an annual risk framework to evaluate open source software; and (2) an assessment every other year on open-source components used by federal agencies. The bill also contemplates that CISA would conduct assessments every other year on open-source components used by critical infrastructure entities.
The bill is aimed at addressing the risks of software development vulnerabilities as seen with log4j, although critics maintain that the risks are not unique to open-source software. The bill faces uncertain prospects this session but it could be appended to a larger “must-pass” bill before the term ends in January.
CISA requests public input on critical infrastructure regulations
CISA requested – by November 14, 2022 – public input on forthcoming regulations that will require qualifying critical infrastructure entities to report cyber incidents to the federal government pursuant to CIRCIA. This request for public input will be a good opportunity for companies to weigh in on a variety of breach reporting considerations, including precisely what kinds of entities should be subject to CIRCIA, and what kinds of incidents qualify as a “covered cyber incident” that needs to be reported to CISA within 72 hours. In particular, CISA has identified several topics of interest for a comment:
- Definitions that would impact the scope of the law, including covered entity, cyber incident, ransomware attack, and supply chain compromise;
- Commentary on what reports to CISA should include, what format they should take, and how they should be submitted;
- Definitions on when time-based triggers should start (e.g., when is a ransom payment “made” or what constitutes “reasonable belief” that an incident has occurred);
- Information on existing reporting obligations; the cost of reporting, including time and data retention costs; criteria on whether certain existing reporting obligations are sufficiently similar to warrant an exemption for the covered entity (e.g., exempting reporting obligations from banks that already report incidents to their primary financial regulator).
Comments close on November 14, 2022. While there’s no clear timeline on when the agency may publish a formal Notice of Proposed Rulemaking, CIRCIA requires that it be published no later than March 15, 2024 with a final regulation to follow 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule.