Federal Agencies Implementing New Approaches to Software Security

Federal agencies are developing proactive methods of detecting software vulnerabilities, fostering a more forward-looking approach to cybersecurity designed to prevent incidents like the 2020 SolarWinds attack.

Speaking at GovCIO Media & Research’s Sep. 29 zero trust event, representatives from security-focused agencies outlined how a push for more robust software security is being translated into government-wide policy.

Fortifying software supply chains has been an increasing focus among federal cybersecurity agencies, particularly in the wake of the passage of the 2021 Executive Order on Improving the Nation’s Cybersecurity. This has informed the work and mission of the recently launched Office of the National Cyber Director (ONCD), which has been pushing to implement stronger software security since the department’s founding in 2021, particularly in helping move away from perimeter defense and towards breach detection and damage mitigation.

“What the executive order does is it recognizes that fundamentally we are not going to make this space secure. What we are going to do is we’re going to make it defensible. And so we’re employing new policies and new ways of thinking about security so that you are no longer looking at just the perimeter. We are looking at everything inside that perimeter. That’s what zero trust really means,” said ONCD Director of Federal Cybersecurity Phil Stupak.

This drive to implement more comprehensive software supply chain review has also informed the work of the longstanding National Institute of Standards and Technology (NIST), which has sought to codify an approach to vulnerability review that can be adopted across government. NIST’s work in this area has focused heavily on collaboration and knowledge building, which helped inform the newly released Secure Software Development Framework.

“As part of the response, what we started doing is we started number working with communities. And for us, it means public events, it means workshops, it means inviting people from different walks of life, and essentially, roll out up sleeves and start a conversation about what is this common language that we will speak in? Can we agree on something, and make sure that we put lexicon in place first so we can continue this conversation. And this is how we developed the first version of secure software development framework,” said Natalia Martin, director of NIST’s National Cybersecurity Center of Excellence.

The ultimate goal of this approach is to build the kind of whole-of-network security that can prevent, or at least mitigate the damage from, zero-day incidents like the SolarWinds attack that exploit previously unknown software vulnerabilities to gain widespread network access. The Defense Digital Service has been especially proactive in developing methods of harm mitigation, including its “bug bounty” program that encourages participants to seek out yet-unknown vulnerabilities in software.

“We have some internal tools that we can use to help organizations map their cyber terrain and evaluate the impact of a particular cyber incident as it occurs so we can help them surge in that time of temporary crisis. We also were able to use the Hack the Pentagon program for the first time as a rapid response to a cyber incident during the Log4j incident that happened about a year ago. It allowed us to turn around and open a bug bounty as a rapid response to this incident in about 24 hours,” said Nicole Thompson, digital services expert at the Defense Digital Service.