New federal guidelines call on software producers to attest they use secure development practices for products sold to federal agencies, according to National Institute of Standards and Technology guidance released Friday.
Software developers can self-attest they are NIST compliant, but federal agencies can ask for second- or third-party verification depending on the risk.
- NIST is also conducting pilot studies around labeling the security of consumer software and IoT products. NIST will accept contributions to the pilots until March 15 and will publish a summary report in May.
The NIST guidance is part of a larger effort by the Biden administration to strengthen the security of the U.S. software supply chain following the Russia-linked attack on SolarWinds, the attack on Microsoft Exchange Servers blamed on China, and the Dark Side ransomware gang attack on Colonial Pipeline.
The Biden administration's May 2021 executive order included a series of steps designed to reduce the number of vulnerabilities that slide through the software development process and expose businesses, government and consumers to potential cyberattacks.
For Mario Vuksan, co-founder and CEO of ReversingLabs, NIST attestation should require an assessment broker as a third-party to ensure compliance. Assessment brokers could either be a company or operate as a free or open source project where the software producer and user can each get an identical software bill of materials.
"That's the only way that we can maintain trust and transparency between the producer and the consumer," he said.
Asked whether such a plan should operate in the same manner as the third-party assessors under the Pentagon's original model, Vuksan said no, the third party would need to perform a software inspection in a transparent fashion and provide verifiable results to both parties.
"Think of it as an independent testing lab, producing reports just like any blood diagnostics lab would," he said, adding that NIST and other regulators could drive policies and acceptable thresholds to direct producers and consumers to action based on results in the respective reports, Vuksan said.