Preparing for the Impact of EO 14028 on Software Security

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Curtis Yanko of CodeSecure examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security.

Despite the fact that the Cybersecurity Executive Order, known as EO 14028, governs software designed for use by government agencies, these guidelines will eventually extend to and reshape private sector software security practices– especially for hardware used in critical infrastructure and safety-critical industries, including automotive, aerospace, IoT, medical devices, and more.

We can expect EO 14028, which requires software supplies to adopt NIST SSDF, a set of guidelines and best practices for secure software development, to force profound changes in private sector software security requirements. Specifically, it calls for a proactive shift to integrating security considerations across the software development lifecycle, from design and coding to testing and deployment. While this transition will necessitate a shift in mindset and resource allocation, it is a critical step toward minimizing software supply chain vulnerabilities and hardening digital assets.

Here are five ways EO 14028 and SSDF are likely to impact private-sector software security:

1. Influence on industry standards: Private sector organizations, including those developing safety-critical products and software used in critical infrastructure, may need to adopt SSDF standards and guidelines voluntarily to align with recognized best practices.
2. Market expectations: With increasing customer expectations regarding the security and integrity of software products, especially for critical infrastructure, product selection may favor suppliers that demonstrate adherence to recognized cybersecurity practices, specifically those influenced by NIST, CISA, and EO 14028.
3. Enforcement of supply chain security practices: Suppliers developing safety-critical software will likely be required to implement supply chain security practices, such as conducting thorough vendor assessments, ensuring software integrity throughout the supply chain, and implementing secure development practices.
4. Collaboration with federal agencies: Private sector organizations may need to collaborate with federal government agencies on information sharing, participation in working groups, or joint initiatives to strengthen cybersecurity measures in the broader software ecosystem.
5. Potential future regulations: While EO 14028 is specific to federal agencies, subsequent cybersecurity regulations or industry-specific standards may be created for and require compliance by private sector hardware and software providers.

Given these current trade winds, private-sector software suppliers should closely monitor any subsequent developments, guidelines, or standards that emerge as a result of EO 14028. Engaging with industry associations, staying informed about evolving cybersecurity practices, and consulting legal and cybersecurity experts can help organizations navigate potential impacts and adapt their practices accordingly.

One of the ways to prepare for greater regulation within the software security supply chain is through the proactive adoption of NIST SSDF guidelines and best practices for secure software development. It emphasizes proactive identification and mitigation of security risks and promotes a continuous improvement mindset to enhance software security over time. NIST has also published Guidelines on Minimum Standards for Developer Verification of Software (NISTIR 8397), which recommends techniques for meeting the guidance outlined in EO 14028.

While safety-critical software already undergoes testing for security vulnerabilities, the integration of the NIST framework can further strengthen secure development processes in the following ways:

• Stronger security: SSDF best practices, which can be applied during development, including threat modeling, secure coding practices, secure configuration management, secure authentication and access controls, secure communication protocols, and vulnerability assessments.
• Security-by-Design Approach: Modern safety-critical systems should integrate security considerations from the early stages of the development process, not as an afterthought. Alongside safety risk assessment, developers should incorporate security requirements and risk assessments into the software development life cycle, conduct security-focused design reviews, and implement security controls at each development phase.
• Collaboration: The SSDF encourages collaboration among developers, testers, security professionals, and management. This helps foster a security-focused culture and ensures that security considerations are effectively communicated and understood across the development team. Additionally, training and awareness programs on secure software development practices are essential for success.
• Security tools: the use of secure development tools and automation can assist in identifying vulnerabilities, enforcing secure coding practices, and automating security testing. Integrating such tools into existing development processes and pipelines can augment security testing efforts and provide developers with real-time feedback on potential security issues.
• Compliance: Verification and auditing are common practices for safety-critical software development, while compliance with security standards may soon be, or already is, a requirement in many industries. Following SSDF guidelines for regular security assessments, code reviews, and security testing can help demonstrate the effectiveness of security controls and identify areas for improvement during an audit.

Private sector critical infrastructure and safety-critical software developers can expect some or all of Cybersecurity Executive Order 14028’s requirements to apply to them at some point. With concerns over software supply chain security risks now front and center with customers, product security should be a focal point for embedded, IoT, and safety-critical suppliers. By integrating the NIST Secure Software Development Framework into their development processes, organizations can elevate the security, overall quality, and integrity of their products.