Commerce Proposes Third Party Audits as Criteria in Supply Chain Rule for Software

The Commerce secretary should consider whether connected software applications have been evaluated for security by a reliable third party when reviewing transactions with U.S. entities, under a new proposal from the department.

Commerce proposed adding “a lack of thorough and reliable third-party auditing of connected software applications,” to a list of criteria for determining whether to approve imports and other transactions involving information and communications technology, according to a notice published in the Federal Register Friday.  

The proposal is in response to an executive order President Joe Biden issued in June instructing Commerce to adjust an order from former President Donald Trump which aimed to limit the reach of foreign adversaries looking to acquire sensitive data from Americans. While the Biden order reversed Trump bans specifically targeting Tik Tok and WeChat, it maintained the core of the Trump order authorizing the Commerce secretary to deny transactions deemed threatening to national security under the International Emergency Economic Powers Act. 

The Biden order also expanded on the Trump order by making “connected software applications” subject to the reviews and focussing on third-party audits—a hotly debated area of cybersecurity policy, as demonstrated by the Defense Department’s Cybersecurity Maturity Model Certification program.  

The proposal Commerce published Friday also opens up the conversation, seeking feedback on whether it goes far enough or should be more tightly tailored.

“The Department seeks public comments on these criteria, including how the Secretary should apply these to ICTS transactions involving connected software applications, and whether there are additional criteria that should be considered by the Secretary with respect to connected software applications,” the notice reads.

Commerce further asks whether certain criteria should be considered even if a foreign adversary is not directly involved.

“Should the Department add a criterion such as whether the software has any embedded out-going network calls or web server references, regardless of the ownership, control, or management of the software?” the department wrote. 

The notice also raises questions that would be applicable to other agencies or organizations considering the use of third-party verification for supply-chain security. It asks, for example, if terms such as “independently verifiable measures” need to be defined in the rule, whether audits should apply to just the connected software applications or also to the implementing organization, whether it’s understood that third-party security verification needs to be a continuous process throughout the life cycle of the application’s deployment, and whether the rule, as proposed, is understood to apply only to source-code or would also include activities such as log monitoring.

Supply chain threats to information and communications technology have received greater attention this year due to sweeping cyberattacks by suspected nation-state actors.

A recent Government Accountability Office report on the Cybersecurity and Infrastructure Security Agency’s management of the communications sector, for example, noted aggressive activity from China in highlighting the need for employee training on threat detection. 

The report recommended CISA update its own assessment of the sector’s security to include emerging risks posed by the information and communications technology supply chain. 

CISA agreed, and committed to updating its plan for the communications sector—last issued in 2015—by September of 2022.