NIST recently released several key deliverables related to cybersecurity. These focus on secure software development and new consumer labeling programs, as provided for in President Biden’s Executive Order 14028, which aims to implement several new practices to improve the nation’s cybersecurity.
Software Supply Chain Deliverables:
Software supply chain security is of great importance following multiple high-profile cyberattacks in recent years. To help software developers mitigate the risk of vulnerabilities, NIST has released a final version of its Secure Software Development Framework (SSDF) (available here: SP 800-218, Secure Software Development Framework (SSDF)). The SSDF is organized into four groups of high-level practices and tasks:
NIST has also released guidance for software acquirers on how to obtain proper attestation that a developer has followed required security practices, as required by the executive order. The guidance document focuses on best practices for software procurement for federal agencies and includes examples of what should be required in a compliance statement. Generally, the government may accept first party certification unless a risk-based approach determines that second or third party certification is required. New federal regulations are expected this year that will memorize recommendations in government contracts and subcontracts.
Consumer labeling deliverables:
NIST also released two final deliverables addressing recommendations for cybersecurity labeling programs for consumer software and consumer Internet of Things (IoT) devices. The impetus behind the programs is President Biden’s executive order, which aims to better educate the public on cybersecurity practices and product security capabilities. Currently, these programs are meant to be voluntary and are in the very early stages of development. NIST recognizes that program implementation will require a program owner to guide and own the programs.
NIST documents outline general desired outcomes for a labeling system, including three key considerations:
Basic product criteria
Labeling considerations (single binary label)
Compliance criteria and evaluation
NIST recommends that labeling be based on commodity criteria rather than established standards. For software, NIST defines 15 core product criteria ranging from implementing secure development processes to documenting information regarding the integrity and provenance of software. For IoT, NIST recommends 10 core product criteria to include full documentation of an IoT product’s development cycle with an emphasis on cybersecurity considerations and the origin of product components.
For labeling considerations, NIST recommends a “binary label” that would easily signal to non-expert users that a product has met a basic standard. Finally, NIST believes that a single conformity assessment approach would not achieve the desired goals and recommends that a program owner tailor assessments specifically to the recommended product.
put into practice: Software producers should familiarize themselves with SSDF and NIST documents as best practices for developing secure software, while government contractors in this space will want to pay close attention and adopt NIST guidelines in anticipation of new regulations. Companies supplying IoT devices should keep abreast of developments in consumer labeling and seek to ensure that devices are developed with safety standards in mind.
Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 73