The head of the Cybersecurity and Infrastructure Security Agency (CISA) said today that the federal government has a “strong” ability to mandate security standards from software vendors through the procurement process.
“One of the very powerful things that governments have is procurement power, and being able to drive that in a way that mandates security standards is really important,” CISA Director Jen Easterly said today at Government DX in Washington, DC. I mentioned it at the event.
CISA and the Office of Management and Budget (OMB) Secure software development certificate form This is an important step toward ensuring federal contractors can provide safe products to the federal government.
Format according to a wide range of stakeholders and industries engagement – Will help advance key aspects of President Biden’s 2021 Cybersecurity Executive Order on building a more secure software supply chain.
Certification forms for software producers are also an integral part of the OMB directive issued In September 2022, federal agencies will be required to take various steps to comply with National Institute of Standards and Technology guidance on software security.
According to OMB, federal agencies will begin collecting certificates for all third-party software within six months of completing the form.
“In June, we will be issuing software authorization forms that we have worked with you to create,” Easterly said. “This is another point that we encourage all partners to consider. This is basically a software vendor's baseline cybersecurity standard for the government.”
“This is consistent with our commitment to secure-by-design technology,” Easterly said. “You can build it, you can operate it, you can maintain it, but if you don't secure it, at the end of the day you can't operate it effectively. [are] A way for businesses, governments, and application developers to always prioritize security by design. ”
CISA announced This guideline aims to outline clear steps that technology providers can take to improve the safety of products used around the world.
“We need security by design, because if we have security by design, then of course we have resilience by design,” she continued. “And for things like government services that all Americans depend on, we need the ability to continue operating in the face of data theft or destruction.”
“Because adversaries aren't just focused on espionage, they're focused on actually disrupting, and in some cases corrupting and destroying, our networks, so that's what we're seeing. “It's about being there,” Easterly said. “That’s why security, focus, prioritization and partnership are so important.”
