National Cybersecurity Director Chris Inglis plans to maintain the government’s focus on software procurement as part of a long-awaited cybersecurity strategy that will focus on government spending – starting with the funding already allocated by Congress – according to the reading of a recent meeting of presidential advisers.
“Mr. Inglis said government procurement of secure software should be included in the national cybersecurity strategy,” reads the Cybersecurity and Infrastructure Security Agency’s summary of a Dec. 1 meeting of the Presidential Advisory Committee on Security. national telecommunications security.” He stressed that it should be easier for agencies to source more secure products.”
The President’s NSTAC is made up of representatives from the federal software vendor pool, including: Unisys Corp. ; Microsoft Corp. ; NightDragon Security, LLC; Cohere Technologies, Inc.; Palo Alto Networks, Inc.; Communications Technologies, Inc.; Two island partners; Tenable Holdings, Inc.; Qualcomm; MediaKind, Inc.; Ciena Corp.; and Lumen Technologies, Inc.
During the meeting, CISA Executive Director Brandon Wales read out a series of actions the administration has taken based on the NSTAC’s recommendations. The list included a binding operational directive for agencies to conduct weekly scans of their networks and digital assets; mitigation of compliance issues with export controls on participation in standards; support in the President’s fiscal year 2023 budget as well as a state and local grant program for the transition to a “zero trust” cybersecurity approach; post-quantum cryptography plans; and the Department of Defense prototyping fifth-generation telecommunications networks.
Inglis said the long-awaited national cybersecurity strategy, expected this fall, is still not final, but the administration has already begun implementing “steps to begin the process of rebuilding infrastructure.” of the country’s cybersecurity,” according to the reading.
“This process began with two key pieces of legislation being enacted: the Infrastructure Investment and Jobs Act and the Inflation Reduction Act 2022,” the minutes read. “Mr. Inglis explained that these two laws are being used to rebuild both the physical and digital infrastructure of the United States.
His remarks echo efforts already underway through the implementation of a May 2021 executive order on cybersecurity, which initially suggested that agencies should require a software bill of materials, or SBOM, as a condition of supply. SBOMs are intended to give end users greater visibility into software components that might enter their networks. But after leaving it up to agencies to determine their own SBOM requirement under the order, the Office of Management and Budget is now under pressure from industry to actively discourage agencies from asking potential contractors for a SBOM.
Inglis said the new National Cybersecurity Strategy should be implemented across government, while noting that the United States “must build — from the ground up — a defensive infrastructure based on the principles of zero trust. “, according to the reading.
He also “acknowledged the complexity of this task and said that to accomplish it, the government must harness the capabilities of public-private partnerships such as the NSTAC,” reads the summary of the meeting.
During the meeting, Microsoft’s Scott Charney reported on NSTAC’s plans to show how software security assurance already exists in federal procurement.
The group is “reviewing how federal government requirements have been enacted, assurance has been proven and compliance has been communicated,” according to the reading, which says the committee will also recommend ways to reduce compliance obligations by security with various agencies that regulate cybersecurity for different critical infrastructure sectors.
“Mr. Charney explained that, as the challenges are not limited to federal government procurement, the subcommittee is also considering the continuing challenge posed by an increasing number of sector-specific security requirements,” according to the reading. said the aim is to identify how the government can significantly streamline regulatory processes and promote cross-industry harmonization to ensure assurances with safety requirements [are] more effective and efficient. »
The NSTAC will deliberate and vote on the committee’s new recommendations at its next meeting, scheduled for February 2023.
