The Key to Unlocking Government Contracts for Software Vendors in the Current Cybersecurity Landscape

In 2021, shortly after assuming office, President Joe Biden embarked on a mission to improve the Nation's security posture with Executive Order (EO) 14028 to improve cyber threat information sharing between the U.S. Government and the Private Sector. This move was prompted by a series of recent high-profile vulnerabilities, including the Colonial Pipeline, SolarWinds, and Codecov attacks, underscoring the urgent need for improved collaboration and resilience.

The goal of this EO is to align cybersecurity initiatives between the Government and Private Sector to increase resilience against national security threats similar to those posed by cybercriminals responsible for incidents like those mentioned above.

President Biden's cybersecurity EO zeroes in on three key areas susceptible to exploitation and capable of precipitating a national security emergency if compromised. These included federal government agencies, which need to modernize if they are to keep pace with the constantly evolving cyber threat landscape. The other two were federal contractors working with the federal government and IT service providers who must improve their supply chain security to mitigate the risk of supply chain attacks.

Software supply chain security was a key focus of the EO. A 2021 survey, the year the EO was issued, found that 62% of surveyed organizations experienced some sort of software supply chain attack, making the need for robust safeguards clear. Since then, this number has grown. According to a new report by Data Theorem, 91% of organizations experienced a software supply chain attack over the last year, emphasizing the magnitude of this issue.

Understanding President Biden's Cybersecurity Executive Order

President Biden signed the EO on May 12th, 2021, marking a significant step in addressing cybersecurity concerns. This isn't the first time the highest office in the land has tackled such issues. Previously, President Obama signed into law the Cybersecurity Act of 2015, which allowed for the sharing of cybersecurity threat information between the Federal Government and private entities. However, participation in that program was voluntary. 

What sets the current situation apart is the transition from voluntary to mandatory participation, meaning vendors no longer have a choice in the matter. They have to comply with prescribed cybersecurity protocols and information-sharing practices outlined in the EO, or they simply won't be able to secure government contracts and may potentially face penalties for non-compliance.

The EO tasks multiple agencies, including the National Institute of Standards and Technology (NIST), with improving cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

Section 4 of the EO, 'Enhancing Software Supply Chain Security,' directs NIST to gather input from various stakeholders and identify existing or develop new standards, tools, best practices, and guidelines to improve software supply chain security. These guidelines include evaluating software security, assessing the security practices of developers and suppliers, and exploring innovative tools or methods to demonstrate compliance with secure practices.

The Importance of Cybersecurity Standards and SBOMs for Vendors

Against this backdrop, vendors face heightened scrutiny and increased demands for compliance, particularly if they hope to secure contracts with the federal government. The transition from voluntary to mandatory participation in cybersecurity protocols and information-sharing practices has placed significant pressure on vendors to comply with these prescribed standards or risk losing out on lucrative government contracts.

While vendors engaged in government work, ensuring compliance with the EO's directives is critical. This involves not only meeting current cybersecurity standards but also adapting to any new requirements that may emerge as agencies work to improve their security postures. More importantly, failure to do so could result in severe consequences, including potential penalties and loss of contracts.

Cybersecurity and Infrastructure Security Agency (CISA) has released regulatory guidelines on cybersecurity infrastructure that vendors may find helpful. The first step towards improving software supply chain security is knowing what is inside your apps. A "software bill of materials" (SBOM) has emerged as a key building block in software security and software supply chain risk management. Essentially, an SBOM provides a comprehensive inventory of the various components that constitute a piece of software. Think of it like a list of ingredients on a food label. 

There are many benefits to implementing SBOMs. By implementing SBOMs, vendors can gain deeper insights into the makeup of their software, including third-party dependencies and potential vulnerabilities. This knowledge allows them to better assess and mitigate risks within their supply chains, thereby improving overall security posture. SBOMs also facilitate effective communication and collaboration between stakeholders, allowing for more informed decision-making regarding software procurement and deployment.

SBOMs also play a crucial role in incident response and remediation efforts. In the event of a security breach or vulnerability disclosure, having an up-to-date SBOM means vendors can swiftly identify affected components and take appropriate action to mitigate the impact on their systems and customers.

Striking the Balance Between Speed, Accuracy, and Security in SBOM Development

The challenge for vendors is how quickly they can quickly develop quality SBOMs while maintaining accuracy and completeness. It requires careful attention to detail to accurately catalog all software components, including intricate dependencies and integrations, which can be time-consuming. At the same time, the constant evolution of software through new versions, patches, and updates necessitates continuous monitoring and updating of SBOMs to ensure their relevance. If vendors do not do this, they risk rendering the SBOM outdated and less effective in managing supply chain risks and responding to incidents promptly.

While the primary purpose of an SBOM is to improve transparency and informed decision-making, it also poses security concerns. The SBOM contains sensitive information about the software ecosystem, including details of dependencies and potential vulnerabilities, which could be exploited if exposed. Vendors must implement robust security measures to safeguard the confidentiality and integrity of the SBOM, ensuring that it remains protected from unauthorized access or tampering.

Balancing the need for speed in SBOM development with the imperatives of precision and security presents a challenge for vendors. The pressure to deliver quickly may tempt shortcuts or compromises in accuracy, potentially undermining the effectiveness of the SBOM in identifying and mitigating supply chain risks. Conversely, prioritizing precision and security may involve longer development cycles and resource-intensive validation processes, impeding the agility and responsiveness of the supply chain management framework.

In essence, vendors must find a way to strike a balance between speed, accuracy, and security when implementing SBOMs in their software supply chain management processes. This requires adopting streamlined workflows, leveraging automation and analytics tools for efficient component identification and tracking, and integrating security protocols to safeguard the integrity of the SBOM. By addressing these challenges proactively, vendors can improve their resilience against evolving cyber threats while maintaining the agility necessary to thrive in today's competitive market environment.

Streamlined Software Asset Management with SettleTop's SBOM Vendor Management Solution

At SettleTop, we are committed to revolutionizing software asset management with our comprehensive SBOM Vendor Management solution. In compliance with the Presidential EO of May 2021, which mandates the safeguarding of software supply chains, our platform offers a centralized repository for securely onboarding and managing vendors along with their SBOMs.

Our solution facilitates SBOM Illumination, enabling swift identification of key risks and vulnerabilities within vendor SBOMs, as outlined by leading organizations like CISA. Through our SBOM Registry, organizations gain visibility into vendor performance, assuring compliance with government requirements and mitigating potential threats posed by SBOMs.

With SettleTop's SBOM Vendor Management, organizations can streamline vendor onboarding, assessment, and monitoring processes, securing compliance with government-mandated standards such as those defined by the U.S. Federal Government's National Telecommunication and Information Administration (NTIA). Our platform offers continuous SBOM monitoring, issues alerts on known vulnerabilities, and provides remediation recommendations to strengthen supply chain security.

Our solution extends to SBOM Forensics, allowing for in-depth analysis of non-compliant vendors in accordance with regulatory frameworks like the Federal Acquisition Supply Chain Security Act (FASCSA). With our range of open-source and commercial tools, organizations can conduct thorough assessments of code quality, app security, and other risk areas.

SettleTop is more than just a software platform. It is a partner dedicated to empowering organizations with the tools and insights to improve their security posture and drive success in an ever-evolving digital landscape. With SetView, you can confidently manage the complexities of software asset management, knowing that you are compliant so that you can secure government contracts and contribute to the protection of national security.