On July 12, 2023, the White House issued an implementation plan as a follow-up to the 2021 cybersecurity executive order 14028. This plan puts an onus on the “biggest, most capable, and best-positioned entities” to increase their share of the burden in implementing the strategy. The plan also incentivizes organizations to pursue investment in cybersecurity to make sure the plan has long-term success.
The plan is based around five pillars:
- Pillar One: Defending Critical Infrastructure
- Pillar Two: Disrupting and Dismantling Threat Actors
- Pillar Three: Shaping Market Forces and Driving Security and Resilience
- Pillar Four: Investing in a Resilient Future
- Pillar Five: Forging International Partnerships to Pursue Shared Goals
Within these pillars are 65 initiatives assigned to a named agency but will require cooperation between many stakeholders, which include private and public sector suppliers, industry experts, and academia, among others.
Of these, Pillars Three and Four are likely to have the biggest impact on software development organizations delivering safety and mission-critical software. Pillar Three is all about furthering the implementation of SBOMs, establishing IoT security, a software liability framework, vulnerability disclosure, and cybersecurity investment. CISA, OMB, and other agencies are responsible for making this a reality and ironing out the requirements. Pillar four is driving cybersecurity standards, which are in the hands of NIST and guidelines like the Secure Software Development Framework.
The implementation plan illustrates the commitment to cybersecurity by the federal government and that the onus is not just on government agencies to predicate all of the standards and activities, but it’s also up to public and private sector companies and organizations that supply the government.
Pillar Three – Shaping Market Forces and Driving Security and Resilience
The key focus of pillar three is moving vendors to improve their software security both with a carrot (investment) and a stick (shifting of liability[DR4] ). Specifically, the pillar consists of the following objectives:
- Strategic Objective 3.2: Drive the Development of Secure IoT Devices. The aim is to improve IoT security with a combination of research, procurement rules, and risk management.
- Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services. The objective here is to establish a standard of care for securing software. This includes a safe harbor provision for companies that demonstrate secure development practices. In addition, this objective is to reduce the gaps in SBOM scaling across industries and plan the implementation. CISA is tasked with creating a database of end-of-life and unsupported software. CISA is also tasked with building a domestic and international support vulnerability disclosure.
- Strategic Objective 3.4: Use Federal Grants and Other Incentives to Build in Security. This objective is about “making a once-in-a-generation investment” in infrastructure and cybersecurity.
- Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability. The plan includes draft rules for future procurement with respect to cybersecurity, incident reporting, contract requirements, and secure software. This includes updates to the False Claims Act to include cybersecurity and allow civil actions against companies that falsify or fail to meet their security commitment.
- Strategic Objective 3.6: Explore a Federal Cyber Insurance Backstop. This objective includes the provision of federal insurance response to a catastrophic cyber event.
What this means
It’s clear the cybersecurity strategy is getting serious about focusing on key areas of concern. Specifically addressing the IoT is important as it represents a big security challenge that impacts many critical infrastructure areas. Also important is making liability an aspect of procurement, which now puts companies on notice that legal action can be taken for poor security practices, especially if they misrepresent how secure their product is. Solar Winds, for example, has received a Wells Notice from the Securities and Exchange Commission notifying them of future action from the commission.
SBOMs continue to play a big part in the plan and, hopefully, this gives CISA the tools needed to improve the adoption of SBOMs in software supply chain security.
Pillar Four – Investing in a Resilient Future
This pillar is about standardizing security practices across the federal procurement market. NIST is responsible for establishing and publishing these standards. We have already seen this with the secure software development framework (SSDF).
- Strategic Objective 4.1: Secure the Technical Foundation of the Internet. This objective includes network security best practices but also refers to the software foundation of the internet as well. This includes securing open-source software and promoting memory-safe programming languages (also a separate objective below).
- Strategic Objective 4.2: Reinvigorate Federal Research and Development for Cybersecurity. The focus of this objective is research and development into memory-safe programming languages for applications, middleware, and operating systems.
- Strategic Objective 4.3: Prepare for Our Post-Quantum Future. This objective pushes for better cryptographic techniques that are resistant to quantum-based attacks.
- Strategic Objective 4.4: Secure Our Clean Energy Future This objective is to identify and implement secure-by-design pilot projects for clean energy technologies. This might apply to automobiles, energy grids, and infrastructure sectors. This objective is linked to the government’s decarbonization goals.
- Strategic Objective 4.6: Develop a National Strategy to Strengthen Our Cyber Workforce. This objective is to increase the training and capability of the cybersecurity workforce. This is primarily done through the National Cyber Workforce and Education Strategy.
What this Means
The shift to memory-safe programming languages will be a long and rough road. C and C++ remain the most popular languages for embedded development. Concerns over performance, suitability, and behavior in real-time, safety-critical software will be an ongoing challenge. However, as research dollars are put into these technologies, smart companies should be, at least, looking into the feasibility of these languages.
The shift to secure-by-design in all aspects of product development, clean energy or not, is still a transition many organizations need to make. This will be helped by the principles of shift-left and CI/CD integration of automation tools. Hopefully, these new guidelines, like the SSDF, and this push from the federal government will get more companies on board. As liability for security shifts to product manufacturers, it makes more business sense to integrate better security into their research and development.
Conclusion
The implementation plan issued by the White House as a follow-up to the 2021 cybersecurity executive order 14028 shows a strong commitment to enhancing cybersecurity across critical sectors. The plan is laid out in five pillars, with Pillar Three and Pillar Four holding the most significant implications for software development organizations delivering safety and mission-critical software.
Overall, the implementation plan highlights the need for collaboration among various stakeholders, including public and private sector suppliers, industry experts, and academia, to collectively address cybersecurity challenges and ensure the long-term success of the strategy. By placing responsibilities on both government agencies and private organizations, the plan emphasizes a shared commitment to cybersecurity, ultimately contributing to a more secure and resilient digital landscape.
Addressing IoT security is essential, and establishing a standard of care for securing software raises the bar for security across industries. Moreover, it promotes the adoption of SBOMs in software supply chain security, which can significantly enhance transparency and security in the development process.
The plan’s push for memory-safe programming languages, despite the challenges, indicates a commitment to improving software security and resilience, especially in safety-critical and real-time systems. As companies face potential liability for security shortcomings, there is a growing incentive to integrate better security practices into their research and development processes.