Last week, Tidelift CEO and co-founder Donald Fischer hosted a webinar where he analyzed the new government cybersecurity regulations to help organizations building applications with open source understand how they may be impacted. Below are some of the highlights and to hear the whole story, you can watch the webinar on-demand now.
Donald kicked off the webinar by offering a bit of context as to how these U.S. government requirements came into being. In the last decade we’ve seen cybersecurity events such as Heartbleed, the Equifax and Apache Struts incident, the SolarWinds breach, and most recently the Log4Shell supply chain vulnerability—and the U.S. government has taken notice.
In response to the growing number of cybersecurity issues, the U.S. government (and other governments around the world, including the EU) started publicly announcing initiatives and guidelines to improve cybersecurity.
In May 2021, The White House issued Executive Order 14028 on Improving the Nation’s cybersecurity and following directives from Executive Order 14028, the National Institute of Standards and Technology (NIST) published specific guidance on secure software development standards (including for third-party software) in its NIST Secure Software Development Framework and NIST Software Supply Chain Security Guidance documents. Next, came White House Office of Management and Budget (OMB) memorandum M-22-18, which stated that organizations will need to self-attest that they comply with all the proposed NIST guidelines by as soon as June 2023, among other key deadlines.
Attestation is the “issue of a statement, based on a decision, that fulfillment of specified requirements has been demonstrated.” In this case, organizations selling software to the government will be required to self-attest that they conform with all of the secure software development standards outlined in the NIST guidelines.
Source: Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e
For more information on self-attestation and the associated key dates, we recommend reading our blog post breaking down upcoming deadlines.
It’s important to note that self-attestation will likely include attesting to the security practices of the open source being used in an organization’s applications, so organizations using open source should be paying particular attention to these new requirements as they continue to become more clear.
Donald shared a chart showing how these new requirements will in some way impact all organizations.
Donald recommended that technology leaders should start asking themselves some simple questions to get their arms around the impact that these new cybersecurity regulations will have on their work. Organizations that sell software to the government may want to start here:
To answer these questions and to implement a self-attestation gameplan, organizations will need to have visibility into their open source software supply chain to understand more about the components they are using and the security practices these projects follow.
Yet, the so-called open source software supply chain is not a traditional supply chain in that open source maintainers typically do not have a business relationship with their users and license their software “as-is” with no warranty (see our blog post Oops! I’m part of a supply chain! for more info.). It’s more important now than ever to work alongside open source maintainers to improve the security of the software supply chain upstream.
Tidelift partners directly with maintainers to ensure their projects meet critical government and industry standards, and we pay maintainers for this important work. To learn more about the government guidelines outlined above and to figure out how your organization can be prepared for the upcoming deadlines, you can watch the webinar here or visit our government open source cybersecurity resource center.