In 2021, SAFECode established a new working group – Executive Order (EO) on Improving the Nation’s Cybersecurity – to discuss and provide feedback to the preliminary guidelines published by NIST in response to the May 2021 Cybersecurity Executive Order. Within weeks of the release of the EO, SAFECode had submitted position papers, participated in workshops, and commented on drafts. An official working group was established in September to continue these efforts.
The U.S Government has recognized the role of software developers in improving the country’s cybersecurity and the EO charged NIST with the task of identifying new standards, tools, best practices, and other guidelines to enhance software supply chain security.
“With increasing cyber threats, security needs to be an integral element of the software development lifecycle,” said SAFECode Executive Director Steve Lipner. “SAFECode believes that the Executive Order will encourage all commercial software companies to take the steps necessary to assure the security of products under development or those imported from other developers.”
SAFECode members provided feedback and participated in many workshops, roundtable discussions, and public review sessions that followed the publishing of the Executive Order. The working group reviewed and commented on four documents issued by NIST and by the National Telecommunications and Information Administration (NTIA):
- Software Bill of Materials Elements and Considerations
- Draft Baseline Criteria for Consumer Software Cybersecurity labeling
- Cyber Supply Chain Risk Management Practices for Systems and Organizations.
- Secure Software Development Framework (SSDF)
In addition, SAFECode was represented at two NIST workshops on plans and strategies for responding to the EO.
“Our comments and workshop positions were mainly focused on clarifying the guidelines and fine-tuning some of the language,” said Steve. SAFECode collaborated with NIST and other organizations on the original set of SSDF practices published in 2020. “The recommended SSDF issued by NIST builds on many of the best practices developed by SAFECode members,” said Steve Lipner. “The SSDF guides software developers on how to use a risk management approach to account for potential security risks and threats in product development. The approach also reflects what kind of technology is being used as well as the end-user for the product.”
In February 2022 – nine months since the release of the Executive Order –NIST will release additional guidance on supply chain security based on the feedback they received. Final guidelines will be published by May 2022, as well as the process for making future updates.
“This has been a great opportunity for the SAFECode members to share their expertise and ideas and help others prepare for compliance with the EO requirements,” said Steve.
SAFECode provides its members with many opportunities — through working groups, initiatives, and events– to collaborate with their peers on technical challenges, guide SAFECode’s focus areas, and support their continued professional development. For more information on joining SAFECode, click here.