US to strengthen innovation in cybersecurity

WASHINGTON, Jan 16 (KUNA) -- US President Joe Biden on Thursday ordered additional actions to improve "our Nation's cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats." "Adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People's Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks.
"These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans' security and privacy," a White House press release quoted the Executive Order 14028 as saying.
"More must be done to improve the Nation's cybersecurity against these threats," the statement reads.
Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies and with the private sector are especially critical to improvement of the Nation's cybersecurity.
"The Federal Government and our Nation's critical infrastructure rely on software providers. Yet insecure software remains a challenge for both providers and users and makes Federal Government and critical infrastructure systems vulnerable to malicious cyber incidents," argued the statement. The Federal Government must continue to adopt secure software acquisition practices and take steps so that software providers use secure software development practices to reduce the number and severity of vulnerabilities in software they produce.
The Executive Order directed actions to improve the security and integrity of software critical to the Federal Government's ability to function.
It directed the development of guidance on secure software development practices and on generating and providing evidence in the form of artifacts - computer records or data that are generated manually or by automated means - that demonstrate compliance with those practices.
Additionally, it directed the Director of the Office of Management and Budget (OMB) to require agencies to use only software from providers that attest to using those secure software development practices.
In some instances, providers of software to the Federal Government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise.
The Federal Government needs to adopt more rigorous third-party risk management practices and greater assurance that software providers that support critical Government services are following the practices to which they attest.
Within 30 days of the date of this order, the Director of OMB, in consultation with the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), and the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), shall recommend to the Federal Acquisition Regulatory Council (FAR Council) contract language requiring software providers to submit to CISA through CISA's Repository for Software Attestation and Artifacts (RSAA).
Within 120 days of the receipt of the recommendations described in subsection of this section, the FAR Council shall review the recommendations and, as appropriate and consistent with applicable law, the Secretary of Defense, the Administrator of General Services, and the Administrator of the National Aeronautics and Space Administration (the agency members of the FAR Council) shall jointly take steps to amend the Federal Acquisition Regulation (FAR) to implement those recommendations.
The agency members of the FAR Council are strongly encouraged to consider issuing an interim final rule, as appropriate and consistent with applicable law.
As agencies have improved their cyber defenses, adversaries have targeted the weak links in agency supply chains and the products and services upon which the Federal Government relies.
Agencies need to integrate cybersecurity supply chain risk management programs into enterprise-wide risk management activities, the statement added. (end) rsr.gb