Developments to improve the cybersecurity of federal government agencies, critical infrastructure

Recently, several developments have been proposed or announced to help identify and mitigate cyber risks to critical infrastructure operators and software in the United States with the goal of further strengthening the federal government’s cybersecurity posture.

In this blog, we discuss: (1) a new OMB requirement that federal vendors attest to a secure software supply chain development process; (2) a bipartisan bill introduced that reviews open source software used by federal agencies and critical infrastructure operators; and (3) a request for information by the Cybersecurity and Infrastructure Security Agency (CISA) regarding upcoming critical infrastructure regulations.

These measures primarily target federal contractors and critical infrastructure operators, but will likely have a broader effect as companies reevaluate their cyber incident policies and the use of open source components in their products. These measures also build on past initiatives – such as President Biden’s Executive Order 14028 of May 2021, Improve the Cybersecurity of the Nation, and the Cyber ​​Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which passed in May 2022 and will require companies that operate critical infrastructure to report certain cyber incidents to CISA.

OMB requires federal vendors to attest to a secure software supply chain

On September 14, 2022, the Office of Management and Budget (OMB) issued a memorandum to executive agencies regarding their use of secure software development practices. The memorandum follows Executive Order 14028, Improving the nation’s cybersecurity (May 12, 2021), which directed the OMB to require executive agencies to comply with recent National Institute of Standards Technology (NIST) guidance on maintaining a secure software supply chain. NIST released its Secure Software Development Framework (SSDF), SP 800-218.3 and Software Supply Chain Security Guidance in early 2022.

The memorandum requires all federal agencies to comply with recent NIST guidelines when using third-party software, including cloud-based operating systems, applications and software. Specifically, each agency’s Chief Information Officer and Chief Acquisition Officer should require each software producer to self-certify compliance with NIST guidelines. Agencies may require a third-party review if a service or product is deemed critical. Agencies may also require a “software bill of materials” – the ingredients that make up software components. These attestations are an essential requirement because if the attestation is false, the company may face liability under the False Claims Act.

If a company cannot attest to the standard, they should document the practices they have in place to mitigate risk and develop an action plan. The agency may use the software if it finds this alternative documentation satisfactory. The attestations and other documents collected must not be shared publicly and will eventually be compiled in a government-wide repository.

Agencies are required to inventory their software by December 13, 2022 and communicate requirements to vendors by January 12, 2023. Agencies are required to collect attestation letters for “critical” software from by June 11, 2023 and all other attestation letters by September 14. , 2023.

Senators propose bipartisan bill requiring scrutiny of open-source software used by federal agencies and critical infrastructure operators

The Securing Open Source Software Act of 2022 was recently passed by the US Senate Homeland Security and Governmental Affairs Committee. The bill was drafted by Chairman Gary Peters (D-MI) and Ranking Member Rob Portman (R-OH) after a February 2022 hearing on the log4j vulnerability.

The bill directs CISA to hire staff experienced with open source software so that the agency can assess and mitigate the risks of using open source code. CISA will then publish (1) an annual risk framework for evaluating open source software; and (2) an assessment every two years on open source components used by federal agencies. The bill also provides that CISA would conduct assessments every two years on open source components used by critical infrastructure entities.

The bill aims to address the risks of software development vulnerabilities as seen with log4j, although critics argue that the risks are not unique to open source software. The bill faces an uncertain outlook this session, but it could be appended to a larger “must-have” bill before the term ends in January.

CISA Seeks Public Comment on Critical Infrastructure Regulation

CISA has requested – by November 14, 2022 – public comment on upcoming regulations that will require eligible critical infrastructure entities to report cyber incidents to the federal government in accordance with CIRCIA. This request for public comment will be a good opportunity for companies to weigh in on a variety of breach reporting considerations, including precisely what types of entities should be subject to CIRCIA, and what types of incidents qualify as “ covered cyber incidents” which require reporting to CISA within 72 hours. In particular, CISA has identified several topics of interest for comment:

  1. Definitions that would impact the scope of the law, including covered entity, cyber incident, ransomware attack, and supply chain compromise;
  2. Comments on what reports to CISA should include, the format they should adopt and how they should be submitted;
  3. Definitions of when temporal triggers should begin (for example, when is a ransom payment “made” or what constitutes a “reasonable belief” that an incident has occurred);
  4. Information on existing reporting obligations; the cost of reports, including time and data retention costs; criteria for determining whether certain existing reporting obligations are sufficiently similar to justify an exemption for the covered entity (for example, exemption from reporting obligations for banks that already report incidents to their primary financial regulator).

Comments close November 14, 2022. While there is no specific timeline as to when the agency may publish a formal Notice of Proposed Rulemaking, CIRCIA requires that it be published no later than November 15, 2022. March 2024 with final settlement to follow 18 months later. The effective date of the reporting requirements of the law will be determined by the final rule.

Ashley C. Reynolds