Inside Cybersecurity

December 7, 2021

Daily News

NIST, NTIA begin EO-directed exploration of how to secure software used by federal agencies

By Sara Friedman / July 13, 2021

Recent publications from NIST and NTIA highlight challenges the federal government will face coming up with a definitive way to make software used by agencies more secure, while recognizing the process to define “critical software” and “SBOM” minimum elements is a work in progress.

As directed in President Biden’s May cyber executive order, the National Institute of Standards and Technology last week released two key publications -- one describing the use of critical software and the other minimum standards for software verification by software procedures. Both of the publications build on a white paper put out in June that outlines a definition for critical software.

“The intent of specifying these security measures is to assist agencies by defining a set of common security objectives for prioritizing the security measures that should be in place to protect EO-critical software use,” NIST said its latest critical software publication issued on Friday that breaks down security measures developed by several government agencies including NIST, CISA, the National Security Agency and Office of Management and Budget.

Henry Young, director of policy at BSA-The Software Alliance, called the NIST publications “strong reminders of the importance of software to organizations around the world, including the United States government, in accomplishing their missions and serving their customers.”

“BSA, which represents the world’s most innovative enterprise software companies, is optimistic that these documents will achieve our shared goal of improving the security of software use,” Young told Inside Cybersecurity. “While the development of software is beyond the scope of this NIST guidance, the enterprise software industry, led by BSA, has been working on improving the secure development, capabilities, and life cycle of software through documents like the BSA Framework for Secure Software. BSA members will continue to invest to provide all customers, including the United States Government, the most secure and innovative software solutions.”

NIST also put out a FAQ document as part of the critical software publication in response to a question from stakeholders, asking, “Are all of the security measures appropriate for all EO-critical software?”

The standards agency said, “A security measure might not be relevant for a particular situation based on the nature of the software deployment or other factors. If a particular security measure cannot be implemented, other security measures could be identified and implemented to mitigate the risk and achieve the outcome that the missing security measure was intended to address. Agencies are still expected to apply risk management activities as part of their overall cybersecurity programs.”

The Consumer Technology Association praised this approach, making a case for using risk as a foundational part of NIST’s work.

“There is no question that the EO-Critical software groupings in NIST’s recent definitions are important categories, and everyone has a stake in making sure they are given proper protection in deployments of strategic risk,” said Michael Bergman, CTA’s vice president for technology and standards. “Because risk assessment is such an important part of cybersecurity, we appreciate item #1 of the FAQ which states that not all of the Security Measures Guidance will be appropriate to all EO-Critical software. For example, IoT devices may not be able to implement multi-factor authentication.”

Bergman told Inside Cybersecurity, “The Recommended Minimum Standards of Testing guidance is based on a strong set of NIST and industry voluntary recommendations. Industry has been working for years on such recommendations. It’s great that NIST recognizes the value of pairing the agency’s expertise with such a strong industry roster.”

The Minimum Elements For a Software Bill of Materials (SBOM)” report from the National Telecommunications and Information Administration was described as a good start from technology companies in the security space.

“It’s exciting to see the roll out of initiatives mandated by May’s Executive Order on cybersecurity. CrowdStrike has been following these developments closely and contributing to the stakeholder processes, including for the SBOM initiative,” Crowdstrike’s Drew Bagley told Inside Cybersecurity. Bagley is vice president and counsel for privacy and cyber policy.

Bagley said, “Today’s report is the clearest description of how ‘version one’ of the concept could work. The report prioritizes some key areas for software supply chain transparency, such as initial application of the SBOM concept within legacy and on-premise software, which tend to be more static targets to be exploited. We think an SBOM proof-of-concept initiative could help illustrate the value proposition of the concept overall.”

Bagley continued: “The ultimate goal of improving software supply chain security will require a multifaceted approach, including leveraging the very technologies and security principles highlighted in the EO. We welcome all efforts, including complementary initiatives led by NIST, that seek to strengthen supply chain security throughout the software and IT ecosystem.”

Tobias Whitney, vice president of energy solution strategies at Fortress, said the Bill of Materials issue “should be at the forefront” of discussions about cybersecurity. “The NTIA paper outlines critical items that would eventually create a standard structure which would be helpful for all sellers of software to critical infrastructure organizations,” Whitney said. “I think there is probably a little more work to do to make sure buyers of software can make heads or tails of what’s out there, but this a step in the right direction.”

Meghan Pensyl, BSA’s policy manager, said NTIA faced a “difficult challenge to describe the minimum elements for a Software Bill of Materials, given the numerous different ways software is developed and deployed.”

Pensyl said BSA is “pleased to see that NTIA’s report recognized that different considerations for an SBOM apply to SaaS, for instance, which was a key part of BSA’s comments. We were also pleased that NTIA recognized that not all vulnerabilities are exploitable in all use cases, which affects what elements of an SBOM are important. We look forward to continuing to work with NTIA to effectively implement the Executive Order on Improving the Nation’s Cybersecurity and ensure that SBOMs help improve cybersecurity as part of a larger risk management program.”

Moves on Open Radio Access Networks

The Biden administration on Friday threw its support behind the use of Open RAN to promote the growth of a robust 5G marketplace in a new executive order focused on “Promoting Competition in the U.S. Economy.”

The EO asks the Federal Communications Commission to consider “providing support for the continued development and adoption of 5G Open Radio Access Network (O-RAN) protocols and software, continuing to attend meetings of voluntary and consensus-based standards development organizations, so as to promote or encourage a fair and representative standard-setting process, and undertaking any other measures that might promote increased openness, innovation, and competition in the markets for 5G equipment.”

John Baker, senior vice president at Open RAN provider Mavenir, said he was encouraged by the inclusion of Open RAN in the EO.

“It's good to see the White House go on the record in support of Open RAN as a driver of competition,” Baker said. “We agree that this approach to building mobile networks will help diversify the supply chain, provide operators with more flexibility and choice, and ultimately help American carriers of all sizes deploy cutting-edge 5G services.”

The FCC will hold a two-day Open RAN Showcase on Wednesday and Thursday, which the agency says will “include presentations from over 30 vendors whose interoperable, open interface, standards- based 5G network equipment and services will be ready and available for purchase and installation by January 1, 2022, if not sooner.”

FCC Acting Chairwoman Jessica Rosenworcel will kick off the conference, followed by remarks from Amit Mital, senior director for cyber and emerging technology at the National Security Council. The showcase features sessions with company executives serving different parts of the Open RAN ecosystem.

Commissioners Geoffrey Starks and Nathan Simington will speak on Wednesday. NTIA Acting Administrator Evelyn Remaley is scheduled to provide remarks on Thursday. - - Sara Friedman (sfriedman@iwpnews.com)