Provided by Palo Alto Networks (click Read More below); All 10 recommendations are practical and needed IMO.
I would also add: Update the FAR rules to require software producers to meet minimum cybersecurity requirements for secure software following the best practices adopted by NASA's SCRM process providing Vendors clear understanding of expectations for secure trustworthy products..
Adopt NASA best practices for supply chain risk management across all agencies to identify, procure and use only trustworthy products following Executive Order 13873
Implement a "Trust Registry" listing trustworthy software products that have passed a risk assessment, that Agencies must check as aย prerequisite to purchasing any digital products used within the USG, following practices recommended by the US Coast Guard. "1) Develop and maintain a list of approved hardware, firmware, and software that may be installed on IT or OT systems. Any hardware, firmware, and software installed on IT and OT systems must be on the owner- or operator-approved list;"
Only trusted products that have passed an Agency risk assessment, NASA's SCRM process for example, following Executive Order 13873, NIST Guidance and Executive Order 14028 are eligible to be listed in the Trust Registry and may be procured, installed and used by the USG.
Make CISA more focused, effective and efficient at coordinating and rolling out harmonized, consistent cybersecurity standards from NIST and best practices defined by CISA's public-private partnerships across critical infrastructure sectors and the US Federal Agencies. Consolidate all cybersecurity standards work, coordination and messaging under CISA's National Risk Management Center (NRMC) including SBOM, Supply Chain Risk Management, Secure by Design, Vulnerability Management and the Cybersecurity Performance Goals. This will ensure that CISA speaks with one cohesive, consistent and clear voice in their cybersecurity guidance and work with all SRMA's.
More collaboration between CISA and the States on Cybersecurity best practices to identify, procure and use only trustworthy software products and implement baseline cybersecurity practices recommended by NARUC and DOE across critical infrastructure.
Government Agencies can share their "trusted product declarations" with other Agencies through the "Trust Registry" to gain efficiencies for risk assessment work performed by all US Government Agencies, reducing redundant work efforts.
Remember, Risk always exists, but trust does not always exist. Always get the trust score before buying, installing or using a product. Make a risk-informed decision when it comes to software products. Know the difference between "risk scores" and "trust scores", they are very different scoring concepts.
Looking forward to discussing SCRM best practices with colleagues at the March 20 FERC SCRM conference.
ย