The U.S. federal government has had a busy year when it comes to cybersecurity strategy. In March 2023, the White House published the National Cybersecurity Strategy In July 2023, the White House followed that up with the National Cybersecurity Strategy Implementation Plan.
Previously, the US government had avoided calling for tight civil and criminal liability for producers of software that isn’t secure. “Pillar Three – Shape Market Forces to Drive Security and Resilience” hits directly on this.
Pillar Three recommends that Congress pass legislation to set national cybersecurity requirements and shift liability from customers to software producers. In fact, it goes so far as to propose a safe harbor concept for companies compliant with NIST SP 800-218, and to open up corporate liability through invalidating the indemnification clauses found in every commercial software license. If successful, this would force companies to strengthen their software security or likely go out of business.
In reality, this Congress is unlikely to pass the required legislation. Even so, this clearly indicates where the federal government is heading, and all software companies should start planning for when this becomes law. The executive branch can’t force Congress to pass laws, but as the world’s largest IT buyer, it’s willing to use its enormous buying power to push toward full implementation of the strategy.
The Implementation Plan is a clear indicator of this and includes several initiatives worth noting:
- 1.1.2 sets cybersecurity requirements across critical infrastructure sectors.
- 1.2.1 scales public-private partnerships to drive secure-by-design and secure-by-default.
- 3.3.1 explores how the government can implement the liability framework.
- 3.3.2 addresses software bills of materials and how to reduce the use of unsupported software.
- 3.5.1 involves updating Federal Acquisition Regulations to strengthen cybersecurity requirements.
- 4.1.2 promotes open-source software security.
- 4.4.1 drives adoption of cyber secure-by-design principles in federal projects.
- 4.6.1 focuses on a national cyber workforce and education strategy.
- 5.5.4 promotes the implementation of Cybersecurity Supply Chain Risk Management key practices.
Among the many initiatives detailed in the Implementation Plan, these highlight the strategy I addressed earlier. Various federal agencies are acting on these now to improve software security before it goes into production. This is proactive and preventative cyber defense.
What role does Checkmarx play in this? Checkmarx One is our cloud-native SaaS AppSec platform, and it provides a wide range of security testing tools for developers during software development and in production, as well as providing built-in security training for developers.
Here are the components of Checkmarx One, and how they align with the National Cybersecurity Strategy and its Implementation Plan.
Component | Secure-by-Design / Secure-by-Default | Open Source Security | Supply Chain Risk Management | Secure Development Training |
SAST | X | |||
SCA | X | |||
SCS | X | X | ||
API Security | X | |||
DAST | X | |||
Container Security | X | |||
API Security | X | |||
IaC Security | X | |||
Codebashing | X |
Checkmarx One supports most if not all these initiatives, mostly through direct testing of the source code or configuration data to ensure that the application is actually secure. What aren’t included in the above table are the liability-related initiatives. Once implemented, these will be the underlying driver for all software developers that sell to the U.S. government. They will likely set a new global trend toward regulating the security of software purchased by all governments worldwide.
At some point, and it looks to be soon, software developers will have to meet secure development and secure implementation requirements to sell software to the government. This will include not only delivering a software bill of materials, but also mitigating the risks associated with using open-source software. It won’t just be SBOMs that become a normal way of life; required compliance with NIST 800-218, the Secure Software Development Framework, is also likely.
We are at an inflection point for delivering software to the government. Security is quickly rising as a priority, competing with product features. As the government continues to implement this strategy, companies will be faced with either adopting new tools to improve their secure development processes or walking away from selling to the federal government. Walking away may work for some companies, but once this has settled down a bit, we can expect large enterprise customers to adopt similar requirements.
Throughout the evolution of this strategy and implementation, Checkmarx remains well positioned with Checkmarx One to provide a single AppSec platform that helps companies meet these challenges and requirements head on. As one of the public sector leaders within Checkmarx, I say GAME ON!
Want to learn more about the Checkmarx One enterprise AppSec platform and how it aligns with this new government strategy? Request a demo today.