Biden Administration is Finalizing Executive Order Prompted by SolarWinds
In response to the SolarWinds supply chain attack, the Biden administration plans to release an executive order (EO) establishing cybersecurity standards for companies that conduct business with the US government. The EO is expected to include software development standards and plans for investigating cyber incidents. Basically, other EO is using the federal procurement process to effect change in the development process.
The US goverment using its buying power to drive higher standards in cybersecurity is a good thing, but it can’t be just be more maturity model/process certification paperwork requirements. Actual security testing of products and services needs to be part of the mandates. Also, the idea of a “Cyber NTSB” (first raised by Steve Bellovin many years ago, and more recently by Bellovin and Adam Shostack) is a really vital initiative that needs to come from the federal level to be effective.
Good step in the right direction, one that does not require legislation. That said, we need to hold accountable suppliers who distribute malicious code, including “back doors.” This may require legislation.