Preparing for the impact of EO 14028 on software security

Solutions Review Contributed content series is a collection of articles written by thought leaders in the business software space. CodeSecure’s Curtis Yanko examines the dark side of the implementation of Executive Order 14028 and how it will impact software security in the private sector.

Despite the fact that the Cybersecurity Executive Order, known as EO 14028, applies to software designed for use by government agencies, these guidelines will ultimately extend to and reshape software security practices in the private sector, especially for hardware used in critical infrastructure and safety-critical industries. including automotive, aerospace, IoT, medical devices and more.

We can expect that EO 14028, which requires software vendors to adopt NIST SSDF, a set of guidelines and best practices for secure software development, will force profound changes in the private sector’s software security requirements. Specifically, it requires a proactive shift toward integrating security considerations across the entire software development lifecycle, from design and coding to testing and deployment. While this transition will require a change in mindset and resource allocation, it is a critical step toward minimizing software supply chain vulnerabilities and strengthening digital assets.

Here are five ways EO 14028 and SSDF are likely to impact software security in the private sector:

1. Influence on industry standards: Private sector organizations, including those developing safety-critical products and software used in critical infrastructure, may need to voluntarily adopt SSDF standards and guidelines to align with recognized best practices.
2. Market expectations: With increasing customer expectations regarding the security and integrity of software products, especially for critical infrastructure, product selection may favor vendors that demonstrate compliance with recognized cybersecurity practices, especially those influenced by NIST, CISA, and EO 14028.
3. Enforcing security practices in the supply chain: Suppliers developing safety-critical software will likely be required to implement supply chain security practices, such as conducting thorough supplier assessments, ensuring software integrity throughout the supply chain, and implementing secure development practices.
4. Cooperation with federal agencies: Private sector organizations may need to collaborate with federal government agencies on information sharing, participation in working groups, or joint initiatives to strengthen cybersecurity measures across the broader software ecosystem.
5. Possible future regulations: While EO 14028 is specific to federal agencies, subsequent cybersecurity regulations or industry-specific standards may be established for and require compliance by private sector hardware and software vendors.

Given these current trade winds, private sector software vendors should closely monitor any subsequent developments, guidelines, or standards that emerge as a result of EO 14028. By working with industry associations, staying abreast of evolving cybersecurity practices, and consulting with legal and cybersecurity experts, organizations can help manage potential impacts and adjust their practices accordingly.

One of the ways to prepare for increased regulation within the software security supply chain is through the proactive adoption of NIST SSDF guidelines and best practices for secure software development. It emphasizes proactive identification and mitigation of security risks and promotes a mindset of continuous improvement to improve software security over time. NIST has also published Guidelines for Minimum Standards for Software Verification by Developers (NISTIR 8397)which recommends techniques to comply with the guidelines set forth in EO 14028.

While security-critical software is already tested for security vulnerabilities, integrating the NIST framework can further strengthen secure development processes in the following ways:

• Stronger security: SSDF best practices that can be applied during development, including threat modeling, secure coding practices, secure configuration management, secure authentication and access controls, secure communications protocols, and vulnerability assessments.
• Security-by-Design approach: Modern safety-critical systems must integrate safety considerations from the early stages of the development process, and not as an afterthought. In addition to the security risk assessment, developers should incorporate security requirements and risk assessments into the software development lifecycle, conduct security-focused design reviews, and implement security controls at every stage of development.
• Cooperation: The SSDF encourages collaboration between developers, testers, security professionals and management. This helps foster a security-focused culture and ensures security considerations are effectively communicated and understood across the development team. Additionally, training and awareness programs on secure software development practices are essential for success.
• Security tools: Using secure development tools and automation can help identify vulnerabilities, enforce secure coding practices, and automate security testing. Integrating such tools into existing development processes and pipelines can enhance security testing efforts and provide developers with real-time feedback on potential security issues.
• Compliance: Verification and auditing are common practices for security-critical software development, while compliance with security standards may soon be, or already is, a requirement in many industries. Following SSDF guidelines for regular security reviews, code reviews, and security testing can help demonstrate the effectiveness of security controls and identify areas for improvement during an audit.

Developers of critical infrastructure for the private sector and developers of security-critical software can expect that some or all of the requirements of Cybersecurity Executive Order 14028 will apply to them at some point. With concerns about software supply chain security risks at the forefront of customers’ minds, product security must be a focal point for embedded, IoT, and security-critical vendors. By integrating the NIST Secure Software Development Framework into their development processes, organizations can improve the security, overall quality and integrity of their products.