Zero Trust Defines Software Supply Chain Security at CFPB, DOE

Zero trust has become a major focal point for software supply chain security efforts at the Consumer Financial Protection Bureau (CFPB) and the Department of Education since the SolarWinds and Log4j attacks.

Dr. Tiina Rodrigue, CISO with the Office of Technology and Innovation at CFPB, said cybersecurity is a team sport, which is critical from a zero trust and software supply chain management perspective.

“There’s no one team that’s responsible for software, we have software everywhere and the risk itself is dynamic,” Rodrigue said during ATARC’s How to Be Prepared Against Evolving Software Supply Chain Attacks webinar last week.  “Security is not a destination, so we have to instill change in the heads, hearts and hands of those who are doing the work.”

Because stolen credentials and user identities are often an entry point for bad cyber actors, CFPB is focused on ensuring its own employees aren’t “the enemy.”

“We need to make sure those opportunities that we identify are prioritized and as we’re doing our sketching and prototyping that security is integrated whether we build it ourselves, get it from open source or if we buy it,” Rodrigue said.

Education Department CISO Steven Hernandez said many agencies are thinking about how to secure the application layer, or Layer 7, of software in the Open Systems Interconnection (OSI) Model. Hernandez believes when you get to the point where zero trust is being enforced, monitored and executed at Layer 7 you can stop caring about Layer 6 and down.

“If we can get our development teams racked and stacked on zero trust a lot of what we’re doing below can be phased out even faster and really at the end we will be talking about applications and software, interfacing with people and services and all of the zero trust options getting brokered at that layer,” Hernandez said during the ATARC webinar.

Many software supply chain risks have been maliciously embedded and can’t detected, so zero trust needs to become the mantra for federal agencies ramping up digital product development.

“We need to recognize that even in our updates and upgrades the security is still critical,” Rodrigue said. “Anywhere you have an input into your system, it doesn’t matter whether it’s a mobile mart or WiFi all of those have to be secured. It’s about zero trust. Always, always, always verify and reauthenticate.”

When looking at software supply chain security, some of CFPB’s best practices include making sure the contracting team is trained in cybersecurity and maintaining transparency throughout the entire software lifecycle.

“There should be early, open and honest communication with the software vendor, if they have a problem, that they don’t try to hide it, is critical,” Rodrigue said.  “It’s not when a problem happens anymore, it’s did the problem happen, and when it does, make sure you’re proactive not reactive so that everyone can take the right steps because in the end we just want to stay resilient and strong.”