On May 12, 2021, President Biden issued Executive Order (EO) 14028, setting in motion efforts to pay closer attention to potential threats introduced earlier in the supply chain. While the order primarily charged multiple agencies with directives that are still in the process of being fulfilled today, it laid the groundwork for what can be expected moving forward. However, if you’re in the private sector and do not do business with the government, you’re most likely left wondering whether this will affect your organization at all. Without knowing anything about you or your company, I can still confidently say that it does. There are a couple examples from the past that serve as precedent.
NIST Cybersecurity Framework
This most recent EO certainly isn’t the first time that the government stepped in to help combat cybersecurity threats. In 2013, the Obama administration issued EO 13636, which outlined the responsibilities of federal departments and agencies in improving the cybersecurity of critical infrastructure. As a result, NIST gathered several key stakeholders to develop what is known today as the Cybersecurity Framework (CSF). This framework provides a common language to help organizations understand and manage their current cybersecurity posture. Basically, it helps entities understand the types of risks they face, and how well-positioned they are to handle them. With this information, necessary improvements can be made to reduce risk.
The primary stakeholders of the CSF have always been private sector operators of critical infrastructure, such as pipelines and power grids, but the CSF has grown to be adopted by a diverse set of organizations and governments across the globe. Some of the more notable companies that leverage it include JP Morgan Chase, Microsoft, Boeing, Intel, Bank of England, and the Ontario Energy Board. While none of these companies are required to adhere to the CSF, they took advantage of it to shape their programs and secure their businesses. Considering that the newest EO makes a call for input from industry experts, one can reasonably expect software vendors and consumers to turn to it for guidance.
NIST Special Publication 800-161
For another example of federal policies making it into the private sector, we can look at NIST Special Publication (SP) 800-161. The NIST 800 series is a set of policies, procedures, and guidelines specified by the United States federal government. 800-161, first published in 2015, was originally intended to help federal agencies address the supply chain integrity of the software they use. Since then, it has been revised and adapted by a variety of governmental and non-governmental organizations wishing to solidify their supply chain risk management programs. This publication has become so relevant that it has worked its way into international standards—it has been mapped to ISO 20243.
While I haven’t been very subtle in making my point thus far, plainly put, you do not have to be in, or work with, the public sector or critical infrastructure to be affected by the latest cybersecurity executive order. The outcomes of initiatives such as these tend to become guiding principles and de facto standards in the industries for which they apply. And this is for good reason. These processes typically involve a collection of the topic’s greatest minds and experiences, rallied behind one joint cause. Taking advantage of the results is simply prudent and efficient.
So as a software producer and vendor, you probably want to get ahead of the game and start preparing for what might be asked of you by the consumers of your products. By taking hints from EO 14028, you get a solid picture of what to expect and where to start.