Government Entities can Prepare Now for Executive Order 14028 Implementation
- Dec 8, 2021 3:23 pm GMT
The May 12, 2021 Cybersecurity Executive Order (EO), 14028 set the stage for government action to address cyber risks in the software supply chain, following the SolarWinds breach that affected ~1,800 entities. It’s impossible to overstate just how risky the software supply chain is today. The software supply chain is one of the most effective attack paths used by hackers; it is extremely efficient and effective for hackers to weaponize the software supply chain of a trusted, widely used software product. Ransomware has become a lucrative business for hackers, which means there is a financial motive to continue in this business. Reports indicate that ransomware attacks are rapidly increasing. I only know of one effective method to stop ransomware; Proactively stop the software that encrypts data from ever being installed and executed. This requires effective, proactive detection techniques that can reliably identify risky software before it can be installed and executed. Fortunately, the cybersecurity experts at NIST have provided us with a solution that can work to detect harmful software and meet Executive Order 14028 requirements. The NIST Guidance is titled APPENDIX F: RESPONSE TO EXECUTIVE ORDER 14028’s CALL TO PUBLISH PRELIMINARY GUIDELINES FOR ENHANCING SOFTWARE SUPPLY CHAIN SECURITY and it is contained in NIST SP 800-161 R2, titled Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
This draft version of SP 800-161 provides the most direct, practical guidance I’ve seen to date that offers government entities advice on how to meet EO 14028 requirements. Government entities within the Energy sector that will likely be subject to EO 14028 requirements, i.e., DOE, FERC, BPA, TVA and many more, will find this NIST Guidance very useful as they prepare to implement EO 14028 requirements. Appendix F was added to SP 800-161 in October 2021 and is currently undergoing a public review and comment period. The next version of Appendix F promises to be even better by incorporating information from commenters with real-world experience implementing some of the key elements of Appendix F, i.e., Software Bill of Materials (SBOM). CISA also provides clear and direct guidance on methods to identify and protect critical infrastructure, across sectors, which can help entities identify good candidates for pilot projects.
Some software vendors are claiming that it is difficult and costly to produce and distribute SBOM’s. However, some vendors, specifically Microsoft, is working diligently to produce and distribute SBOM’s for some products in March 2022, in order to help their government customers comply with EO 14028. If Microsoft, with their thousands of software products are confident they can produce SBOM’s then I question the technical prowess and business judgement of any software vendors that are making the “too hard” and “too costly” claim, given the availability of free, open-source tools available to create SBOM’s and their lack of commitment to helping government customers comply with the EO.
In summary, government entities in the Energy and other sectors can now begin to prepare for EO 14028 by following the guidance provided by NIST in Appendix F of SP 800-161 R2. Ample tools are available for SPDX and CycloneDX to create and consume SBOM’s as part of a software supply chain risk assessment (C-SCRM). SBOM tool vendors and software vendors are conducting SBOM interoperability testing and engaging in on-going dialog to prepare for EO 14028 implementation. More work can be done to help government entities prepare, such as a pilot testbed that implements EO 14028 Appendix F guidance, methods and practices using NTIA compliant SBOM’s in SPDX and CycloneDX format. We have the EO requirements in hand, we also have the guidance needed to meet the EO requirements (Appendix F), we also have ample tools available for government entities to implement Appendix F and SBOM functionality, and we have key software vendors committed to delivering SBOM’s in time to help their government customers meet EO deadlines, and we most certainly have the risk of ransomware close by. The only thing missing is real action to begin preparations to implement EO 14028. The table is set, we just need some people on the Government side to take a seat at the table and start working on EO 14028 pilots.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.