Written by Dave Nyczepir
According to industry experts, companies cannot fully embrace the federal framework for secure software development until the government begins making procurement decisions based on the guidelines.
the Secure software development framework (SSDF) is a conceptual document that requires developers and software vendors to demonstrate compliance using artifacts, but threat models, log entries, source code files, and Vulnerability scan reports required by agencies are not universally specified in contracts.
While the National Institute of Standards and Technology recommended that organizations “produce well-secured software with minimal security vulnerabilities” in the SSDF, this is actually the result of government-industry collaboration. to determine what is contractually feasible.
“I don’t think it’s gotten to the point where I, if I was still in government, would want to write contractual requirements thinking that I had enough specificity in what was in the software framework,” Jim Richberg, area leader for information security responsible for the public sector at Fortinet, told FedScoop.
That’s not to say the industry doesn’t like the SSDF, but rather recognizes that agencies recently mandated by the Office of Management and Budget are complying with guidelines that will help CISOs and CIOs secure their IT infrastructure and to ensure that it is as free from vulnerabilities as possible.
But clarifying the framework will take a lot of work, especially from the government, and will require a flexible schedule.
“I would say there will be a delay, and it should be a flexible delay,” said Bob Stevens, regional vice president of public sector at GitLab. “We’re talking about the potential change in a lot of infrastructure and a lot of transitions for government agencies.”
The cybersecurity executive order that directed NIST to develop the SSDF included three dozen actions on three competing priorities for agencies: implementing zero-trust security architectures, accelerating migration to the cloud and securing the software supply chain. While the three reinforce each other in some ways, Congress needs to allocate additional funds for the latter, Richberg said.
A large portion of software agencies purchase what the industry produces is enterprise software, which means it’s not written solely in-house but with other organizations. Determining contractual requirements that also affect these third-party developers and vendors will take time.
“I would be hard pressed to say this will happen in 18 months,” Richberg said.
-In this story-
Bob Stevens, Cybersecurity Executive Order, Fortinet, GitLab, IT, Jim Richberg, National Institute of Standards and Technology (NIST), Office of Management and Budget (OMB), Procurement, Secure Software Development Framework (SSDF), development software, supply chain