In September 2022, the Biden-Harris administration issued a memo, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, which built upon existing executive orders and directives to safeguard federal information systems.
These initiatives prompt agencies to strengthen security postures but will also require them to gain better visibility and management of their software supply chain and potential vulnerabilities.
One related effort, the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 23-01 - Improving Asset Visibility and Vulnerability Detection on Federal Networks, requires agencies to conduct on-demand asset discovery to fully understand vulnerabilities within 72 hours of receiving a request from CISA.
These directives come simultaneously as the nation works to fill a cyber talent shortage. Agencies are faced with the challenge of pivoting existing strategies to fulfill evolving compliance requirements, while also requiring additional support as agencies transform workflows and workforces.
A software bill of materials, an inventory of software components, libraries, tools, and processes used to deploy a software artifact, is key to helping agencies address the recent memo and other initiatives. Developers can use software artifacts as roadmaps to trace the entire development process.
When fully utilized, SBOMs can be a valuable tool to identify and address potential security challenges, even as vulnerabilities touching the software supply chain evolve. However, this is a challenge as many agencies still need to wrap their hands around SBOM requirements that could help support these demands.
Identifying and mitigating software vulnerabilities
SBOMs provide the baseline necessary to understand software and potential vulnerabilities that lie within it. This baseline then helps agencies meet critical requirements set forth to provide deeper visibility into application dependencies that could be exploited. As a result, agencies need to produce an SBOM that can identify vulnerabilities—both in the pipeline and in production—and help mitigate risks.
However, traditional SBOMs have been stand-alone software rather than integrated into modern agencies’ DevSecOps workflows. To make SBOMs fully functional, agencies need to do more than simply generate an inventory. Capabilities should include automatically generating SBOMs, connecting them with other application security scanning tools and integrating details into a dashboard so required actions are clear. It’s also vital for solutions to provide continuous updates so information remains accurate in real-time.
Agencies can accelerate their efforts to meet emerging government requirements by implementing a DevSecOps platform built with governance capabilities that can automatically generate and connect SBOMs with security scanning tools. Leveraging a platform with enhanced built-in security throughout all steps of the development process improves end-to-end security and addresses compliance without limiting effectiveness or efficiency, even beyond these requirements.
Agencies must allocate time toward training to ensure that employees gain mastery of new tools before the impending deadlines. Results from GitLab’s 2022 DevSecOps report discovered 56% of respondents found it difficult to get developers to prioritize fixing code vulnerabilities. Guidance on how to address vulnerabilities can encourage prioritization of these actions.
For an overburdened IT workforce, extra support can help ensure agencies meet compliance standards. Easy-to-use solutions that integrate security training with technical guidance to resolve issues can simplify and secure the DevSecOps lifecycle, while features that automate tasks and help developers track risky dependencies, including suggested remediations, are also crucial.
Agencies can meet the requirements of the federal mandates and guidance with SBOM capabilities that offer complete visibility, even as dependencies change, and provide support for acting on found vulnerabilities. Implementing tools that weave in security at every step aren’t just crucial to meet baseline government requirements – they’re the key to safeguarding our nation’s critical infrastructure and overall security.
The regulatory landscape is evolving, and so are the cyber risks as we move closer to a new reality with growing digital societies, increased remote workforces, and global interconnectedness. As a result, software must be fully transparent and secured down to even the smallest competent, as agencies must be able to detect and remediate security vulnerabilities quickly, making the implementation of SBOMS a must – failure to do so is simply a security risk.
Bob Stevens is vice president of public sector at GitLab, operator of the GitLab open source platform that helps teams of programmers collaborate.
Have an opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.