US agencies no longer have to check what's inside their software

The White House is lifting IT security requirements for US federal agencies. The rules for software used by government agencies, created in the wake of the SolarWinds disaster, are no longer binding. A key component was that agencies had to document which libraries, programs, and services their software depends on (SBOM, Software Bill of Materials). Having this information makes it easier to identify if your software is affected by known security vulnerabilities.

Last Friday, the Office of Management and Budget (OMB), a division of the White House, rescinded the previous security rules for the procurement and use of software (M-26-05). Henceforth, each agency is to decide for itself which risks it is exposed to and how it should address them. This is a consequence of the deregulation policy of Republican US President Donald Trump.

Federal agencies are now free to choose whether to comply with the NIST Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Security Guidance. These rules are described in the new decree as “unproven and cumbersome” and as having “prioritized compliance over genuine security investments.” OMB Director Russell Vought leaves open what he considers genuine security investments.

“Each agency shall validate the security of its suppliers by applying secure programming principles, based on a comprehensive risk assessment,” he states generally. While agencies are to maintain a directory of the software and hardware used by them and develop their own policies and processes for hardware and software, this is only to be done to the extent that “their risk assessment and tasks” require. What this means in practice is left to individual agencies.

SolarWinds, Biden, and NIST

The security measures now being lifted have a history: in 2019, allegedly state-sponsored Russian attackers managed to compromise SolarWinds' Orion platform and smuggle a Trojan into official updates. SolarWinds sells network and security products used by more than 300,000 customers worldwide at the time. Among them are many Fortune 500 companies, as well as government agencies such as the US military, the Pentagon, and the State Department. By installing the updates, their systems were compromised starting in March 2020. In late 2020, FireEye discovered the backdoors because the attackers had plundered the arsenal of hacking software. FireEye was partly owned by the CIA. In February 2021, Microsoft executive Brad Smith spoke of the “largest and most sophisticated attack the world has ever seen.”

Following this severe blow, then-US President Joe Biden took measures that were consolidated in May 2021 in an executive order for IT security in federal agencies (Executive Order 14028 Improving the Nation’s Cybersecurity). This included securing the software supply chain. NIST (National Institute for Standards and Technology), a division of the US Department of Commerce, took action and developed the aforementioned Secure Software Development Framework and Software Supply Chain Security Guidance. This was timely, as meanwhile almost every third company is affected by attacks on its software supply chain.

Implementation in US Agencies from 2022

Compliance with these NIST recommendations became mandatory for federal agencies from September 2022 through OMB directive M-22-18. Suppliers had to demonstrate that they develop their software in compliance with security principles and what components are included (SBOM). Agency in-house developments were excluded, but were strongly advised to follow the same rules.

In June 2023, OMB directive M-23-16 extended certain transition periods until December of that year and clarified that open-source software is not covered. After all, there is no central supplier there to oversee development. Furthermore, proprietary, freely available software was excluded, such as web browsers. This is because providers of free software typically operate on a “take it or leave it” basis; they are difficult to persuade to undergo certifications and disclose dependencies.

Developments commissioned by agencies were excluded as long as the agency determined and supervised the development, as this was then considered in-house development. The restrictions from 2023 are not far-reaching enough for the current US administration. It is repealing both OMB directives from the Biden administration.

(ds)