NIST recently released several key deliverables relating to cybersecurity. These focus on secure software development and new consumer labeling programs as contemplated by President Biden’s Executive Order 14028, which seeks to implement multiple new practices to improve the Nation’s cybersecurity.
Software Supply Chain Deliverables:
The security of the software supply chain is of great importance following multiple far-reaching cyber attacks in recent years. To help software developers mitigate the risk of vulnerabilities, NIST released a final version of its Secure Software Development Framework (SSDF) (available here: SP 800-218, Secure Software Development Framework (SSDF)). The SSDF is organized into four groups of high-level practices and tasks:
- Prepare the Organization
- Protect the Software
- Produce Well-Secured Software
- Respond to Vulnerabilities
NIST also published guidance for software acquirers on how to secure proper attestation that a developer has followed required security practices as called for by the Executive Order. The guidance document focuses on best practices for federal agency procurement of software and includes examples of what should be required in a conformance statement. Generally, the government may accept first-party attestation unless a risk-based approach determines second or third-party attestation is required. New federal regulations are expected this year that will memorialize the recommendations in government contracts and subcontracts.
Consumer Labeling Deliverables:
NIST also released two final deliverables addressing recommendations for cybersecurity labeling programs for consumer software and consumer internet of things (IoT) devices. The impetus behind the programs is President Biden’s Executive Order, which aims to better educate the public on cybersecurity practices and the security capabilities of products. At present, these programs are meant to be voluntary and are in the very early stages of development. NIST acknowledges that implementation of the programs will require a scheme owner to guide and own the programs.
NIST’s documents outline general desired outcomes for a labeling scheme, including three key considerations:
- Baseline Product Criteria
- Labeling Considerations (Single Binary Label)
- Conformity Criteria and Assessment
NIST recommends that labeling be based on baseline product criteria rather than set standards. For software, NIST outlines 15 baseline product criteria ranging from implementation of secure development processes to documenting information regarding software integrity and provenance. For IoT, NIST recommends 10 baseline product criteria to include extensive documentation of the development lifecycle of an IoT product with a focus on cybersecurity considerations and the origin of product components.
For labeling considerations, NIST recommends a “binary label” that would easily signal to non-expert users that a product has met a baseline standard. Finally, NIST believes that a single conformity assessment approach would not achieve desired objectives and recommends that a scheme owner specifically tailor the assessments to the recommended product.
Putting it into Practice: Software producers should familiarize themselves with the SSDF and NIST documents as best practices for development of secure software, while government contractors in this space will want to pay particular attention and adopt NIST’s guidance in anticipation of new regulations. Companies that provide IoT devices should stay abreast of developments for consumer labeling and seek to ensure devices are developed with security standards in mind.