President Biden has made cybersecurity a top priority for his Administration at all levels of government. This is primarily motivated by the recent rampant cyberattacks on government agencies and their partners, including 3rd party vendors and suppliers. And on May 12, 2021, the President signed an Executive Order (EO) on improving the nation’s cybersecurity posture.
The EO directs multiple agencies, including NIST, to enhance cybersecurity through various initiatives leaning towards the security and integrity of the software supply chain. Without hesitation, NIST locked heads with other like-minded agencies like the National Security Agency (NSA), the Office of Management and Budget (OMB), and the Cybersecurity & Infrastructure Security Agency (CISA) to publish guidance outlining:
Please keep scrolling to understand what these guidelines entail, plus what’s required of your organization to implement them!
Part of the Executive Order was that NIST devises candid security measures for EO-critical software use. In that regard, the agency came up with five core objectives that suppliers and vendors should follow to enhance software supply chain security. These include:
Protect EO-Critical Software and EO-Critical Platforms from Illegal Access and Usage
To guarantee the optimal protection of EO-critical software and platforms from illegitimate access and usage, NIST requires the suppliers, vendors, and end-users to implement the following security measures:
Shield the Integrity, Confidentiality, and Availability of Data Used by EO-Critical Software and EO-Critical Platforms
In the second objective, NIST must ensure that the suppliers, vendors, and users of EO-critical software or platforms meet the following security requirements:
Identify and Maintain EO-Critical Software and EO-Critical Platforms to Protect them from Exploitation
NIST also has a responsibility to ensure that EO-critical software and EO-critical platforms users have the right solutions for continued maintenance and threat protection. As such, it requires all suppliers, vendors, and end-users to:
Quick Detection, Response to, and Recovery from Threats and Incidents Targeting EO-Critical Software and EO-Critical Platforms
As a NIST-compliant organization, you must have the capacity to quickly detect, respond to, and recover from cybersecurity attempts on your EO-critical software and EO-critical platforms. Thus, NIST requires you to:
Fortify the Understanding and Performance of Human Actions that Bolster the Security of EO-Critical Software and EO-Critical Platforms
In this capacity, NIST is tasked with ensuring that organizations implement the following security practices:
The May 12 Presidential EO also called for NIST to establish guidelines recommending minimum standards for vendors or developers to test their software source codes. Below are some of the techniques plus their recommended minimums:
NIST recommends the threat modeling campaign as a technique for uncovering vital and potentially overlooked testing targets. The method abstracts the system, profiles all potential attackers (plus their motives and methods), and catalogs all possible threats. In essence, threat modeling can help point out design-level security issues and focus authentication.
NIST also recommends fixing critical yet uncovered bugs as soon as possible. But that’s not all; software developers also need to make the necessary adjustments to prevent the resurgence of such bugs in the future.
NIST requires developers to implement an automated software source code testing solution. This guarantees that the tests can often be repeated consistently, producing accurate results each time, thanks to eliminating the chance for human errors. In addition, you can integrate the automated testing solution into an existing workflow or issue tracking system.
Suppose your organization relies on EO-critical software and/or EO-critical platforms to fulfill its day-to-day objectives. In that case, you have no choice but to comply with the above-discussed NIST guidelines. But let’s face it; these are not your ordinary cybersecurity guidelines and recommendations that you can implement at a press of a few buttons. Satisfying all the requirements takes time, firsthand cybersecurity expertise, and attention to detail to check all the boxes, as required by NIST.
So instead of bothering your employees with NIST compliance, you can simply partner with a No.1 rated San Francisco cybersecurity firm, On Time Tech, and let your workforce focus on more value-adding activities. We can help identify all the NIST guidelines that apply to your organization, devise a strategy, and implement all the requirements in a timely and effective manner for full compliance.
So what are you waiting for? Contact our responsive experts today, and let us take care of all your cybersecurity and software supply chain security needs!
My philosophy when starting OTT was I wanted to create a place that I would want to work at (fun and friendly.) Where there was no corporate politics and we could just do our job fixing things and helping people. We can help people with their technology and not be arrogant or condescending to people. We can actually make a difference in peoples lives and not just say it but do it.