New Software Vendor Standards Coming Within Weeks, CISA Head Says 

The government is just weeks out from establishing new security standards for providers of its IT, according to Cybersecurity and Infrastructure Security Agency Acting Director Brandon Wales. 

“There's just a lot more that we can do and I think in the coming weeks, you will see the government roll out some of its initiatives in this area,” Wales said at an event Tuesday hosted by the public-private Cyber Initiatives Group.

The Biden administration’s approach to supply chain security is eagerly awaited as major tech companies bemoan what they say was an overly broad effort by former President Donald Trump to limit the import of information and communications technology from “foreign adversaries.” The rule leaves the meaning of that term, and the ultimate decision on whether a given import should be allowed, up to the Commerce Secretary. 

In comments filed Monday with the Commerce Department, which issued the implementing rule for Trump’s executive order on the issue, the Information Technology Industry Council ripped into the document saying “the scope and breadth of this rule remains impossibly broad and raises significant due process concerns.”

At the same time, the breach of federal networks that leveraged access to network monitoring company SolarWinds and insufficient tracking mechanisms in default Microsoft licenses has spurred new calls for raising the bar on vendor security with measures that go beyond banning tech from China and other countries.

“I think it's not necessarily a question of international versus domestic supply chains but it's a matter of what is the supply chain risk management approach that we're taking to identify potentially problematic vendors or critical products or services that need [an] enhanced level of scrutiny,” Wales told Sen. Jacky Rosen, D-Nev., during a recent hearing on the breaches.

Wales said coming rules for vendors might also include requiring that they have vulnerability disclosure policies that encourage security researchers to find and report weaknesses in their products. 

“That is certainly an area that we are actively working with [the Office of Management and Budget] on and with other federal agencies to ensure that we put that in place,” he said in response to Rosen, who asked whether CISA was planning on extending its binding operational directive on the issue to contractors.

“There's a lot that we need to do through the federal contracting process to ensure that the vendors that are providing IT products and services for the federal government have the appropriate level of cybersecurity in place,” he said, noting such action wouldn’t necessarily come from a CISA directive.

During the hearing, Wales said agencies are working together to ensure consistency in the government’s approach to supply chain security across the Commerce Department rule, a similar executive order aimed at removing foreign adversaries from the bulk power sector, and the new Federal Acquisition Security Council chaired by OMB. 

At the event Tuesday, he provided a little more detail on what the administration is planning.

“We've been working, you know, in the interagency, White House-led, to examine what are the options for improving that, particularly in the software development cycle, what additional standards need to be developed, particularly for software that are products that are likely to have escalated privileges inside of networks.”

Wales said the administration is counting on higher federal procurement standards to elevate security across the private sector as well. 

“This is not only where the government is helping itself but the government wants to use its unique market position to help shape that market and improve the security of the vendors that are providing software products and services, not just to the federal government but to the entire community,” he said.