Establishment and Expansion of Software Supply Chain Regulations and Standards
Worldwide, we continue to see a push for digital transformation not only in the private sector but increasingly through government guidance and regulation. In 2022, the European Union Agency for Cybersecurity (ENISA) identified the compromise of software supply chains through software dependencies as the foremost emerging threat. Recognizing the profound implications of cyber threats to national security and economic stability, the United States (US) and the European Union (EU) have taken the lead in orchestrating robust regulatory frameworks and providing substantive guidance to fortify defenses against escalating cyber risks. Their comprehensive approach to cybersecurity includes stringent requirements for critical infrastructure sectors, enactment of rigorous data protection laws, and enhancement of international cooperation to combat cybercrime.
However, various regions across the globe are experiencing notable surges in cybersecurity endeavors outside the US and EU. Canada, Japan, Australia, Germany, and others are acknowledging the criticality of securing software supply chains by drafting legislation and building capabilities to thwart cyber threats. While the bulk of documented guidance and regulation is coming from the US and EU, it’s clear the pressing need to safeguard the digital realm is a global imperative.
What’s happening around the world?
What’s happening in the United States?
- March 2023, the National Cybersecurity Strategy (NCS) is introduced and becomes a cornerstone for global cybersecurity. The implementation plan was released in July 2023.
- Congress introduced two pieces of legislation in March 2023: The Securing Open Source Software Act of 2023 and AI for National Security Act.
- March also saw the Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act go into effect.
- In July 2023, the Securities and Exchange Committee adopted new rules requiring organizations to disclose cybersecurity incidents and more.
- September 2023, The Department of Defense declassified its Cyber Strategy, and CISA announced its Open Source Software Security Roadmap.
What’s happening in the European Union
- September 15, 2022, the first draft of the Cyber Resilience Act (CRA), which throughout 2023 has been widely criticized by the Open Source Software community as potentially restrictive and detrimental to the open source community in Europe and beyond.
- On the heels of the CRA, draft updates to the Product Liability Directive (PLD) include specific attention to increasing liability related to Open Source Software projects and have produced negative feedback from the OSS community in line with the CRA.
- January 16, 2023, Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the European Union, is put into force with an October 17, 2024 deadline for members of the EU to have the directive implemented.
What’s happening in Australia
- In April 2023, the Australian Cyber Security Centre (ACSC) published “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default” in collaboration with many international cybersecurity agencies.
- Quad Cybersecurity Partnership: Joint Principles for Secure Software, published in May 2023, aligns the United States, Japan, and India to strengthen software security, encourages the adoption of secure software practices, and establishes guidelines for software procurement and usage within government.
- In March 2023, the Australian Cyber Security Centre (ACSC) released its Guidelines for Software Development. These guidelines emphasize the importance of Application Security Testing (AST) to assist developers in pinpointing vulnerabilities and highlights the necessity for a Software Bill of Materials (SBOM).
What’s happening in Canada
- In April 2023, the Canadian Centre for Cyber Security (CCCS) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.
- In October 2022, the Canadian Centre for Cyber Security (the Cyber Centre) released its National Cyber Threat Assessment 2023-2024, warning that state-sponsored and criminal cyber threats are increasingly likely to affect Canadians.
- In February 2023, the Cyber Centre published “Protecting your organization from software supply chain threats,” offering guidance and best practices for securing software supply chains.
What’s happening in Germany
- In April 2023, Germany’s Federal Office for Information Security (BSI) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity to software organizations.
What’s happening in India
- Quad Cybersecurity Partnership: Joint Principles for Secure Software, published in May 2023, aligns the United States, Japan, and Australia to strengthen software security, encourages the adoption of secure software practices, and establishes guidelines for software procurement and usage in government.
What’s happening in Japan
- Landmark legislation around supply chain stability and security for critical infrastructure from 2022, “Act on Promotion of Economic Security by Integrated Implementation of Economic Measures,” went into effect in February 2023.
- Quad Cybersecurity Partnership: Joint Principles for Secure Software, published in May 2023, aligns the United States, India, and Australia to strengthen software security, encourages the adoption of secure software practices, and establishes guidelines for software procurement and usage in government.
What’s happening in New Zealand
- In April 2023, New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.
What’s happening in the United Kingdom
- In December 2022, the UK government unveiled an update to its Government Cyber Security Strategy regarding supply chain vulnerabilities and assigned the Department for Digital, Culture, Media, and Sport (DCMS) to implement Network and Information Systems (NIS) regulations in collaboration with the National Cyber Security Centre.
- In February 2023, the UK government called for views on software resilience and security for businesses and organizations as a follow-up to the July 2022 proposed legislation on enhancing the country’s cyber resilience.
- In April 2023, the United Kingdom’s National Cyber Security Centre (NCSC-UK) contributed to the publication of the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity to software organizations.
The National Cybersecurity Strategy (NCS) has been hailed as the foundational document for advancing cybersecurity and is shaping legislation globally. Its comprehensive content underscores the urgency of enhancing cybersecurity both in the US and internationally. Addressing a wide range of areas from infrastructure — related to incidents like SolarWinds and NotPetya — to software bill of materials (SBOM) alignment with Executive Order (EO) 14028, the NCS emphasizes the growing importance of security in software design. Moreover, it underscores impending changes in accountability for software manufacturers. Specifically, organizations unable to prove security is inherently integrated into their software design will face increased responsibilities and liabilities.
In March 2023, Congress introduced legislation "to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency regarding open source software security, and for other purposes."
In March 2023, the House Armed Services Committee introduced legislation "to make certain improvements to the enterprise-wide procurement of cyber data products and services by the Department of Defense and for other purposes." In subsection (b), it inserts "including by enhancing the security of the software supply chain of the Department" after "best interests of the Department."
On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") became law. Within it, Section 3305 titled "Ensuring Cybersecurity of Medical Devices" updated the Federal Food, Drug, and Cosmetic Act (FD&C Act) by introducing Section 524B on device cybersecurity. According to the Omnibus, cybersecurity mandates won't apply to applications or submissions made to the Food and Drug Administration (FDA) before March 29, 2023.
Similar to the FDA, the Securities and Exchange Commission (SEC) proposed a number of rules (33-11028, 33-11038, 34-91742) for public companies, the securities market, advisers, funds, and others within SEC's regulatory scope. This move responds to various findings, including those by the FBI and Congress as well as Cybersecurity and Infrastructure Security Agency (CISA), that state "cybersecurity incidents are underreported."
Among the new rules are requirements for organizations to demonstrate the development of robust processes and procedures for vulnerability management, detection, mitigation, and remediation. In addition to these requirements, the SEC has proposed specific rules concerning the disclosure of said processes and procedures.
In July 2023, the SEC adopted new rules compelling organizations to disclose significant cybersecurity incidents and provide annual cybersecurity risk management, strategy, and governance information, with comparable requirements for foreign private issuers. Registrants must also describe their cybersecurity risk assessment processes and board oversight in an annual report.
SEC Chair Gary Gensler emphasized that any material event, including cybersecurity incidents, should be disclosed to benefit investors and the market. The rules mandate disclosing the specifics of a significant cybersecurity incident — namely, its nature, scope, timing, and impact — within four business days unless it's deemed a national security risk by the U.S. Attorney General, in which case it can be delayed.
In April 2023, this document was released for comments. It represents a sequence of events initiated by EO 14028, which directed National Institute of Standards and Technology (NIST) to provide guidance on secure software development standards. EO 14028 also directed the Office of Management and Budget (OMB) to require federal agencies to collect information from software manufacturers that supply software products to the US government. The OMB responded with M-22-18, setting the guidelines for requiring federal agencies to collect this information.
As part of these guidelines, software manufacturers must attest to using secure software development best practices highlighted in the memo and developed by NIST. While this is simply a first step, it aligns with the secure-by-design-and-default approach CISA has released. It incorporates secure software development best practices from NIST's Secure Software Development Framework (SSDF) and asks organizations providing software to the US government to self-attest that they have embedded this guidance into their software development process.
In July 2023, the Biden-Harris Administration released the National Cybersecurity Strategy Implementation Plan (NCSIP) to align roles, responsibilities, and resources in cyberspace.
It focuses on two shifts:
- Greater burden-sharing in cybersecurity by major entities
- Promotion of long-term cybersecurity investments
Five pillars of the NCS
Defending Critical Infrastructure
This pillar focuses on updating the National Cyber Incident Response Plan (NCIRP) to enhance coordination during cyber incidents and provide clear guidance to external partners, led by CISA.
Investing in a Resilient Future
Focusing on cybersecurity standards and quantum-resistant cryptography, this pillar, led by NIST, aims to enhance US leadership in international cybersecurity standardization and quantum-resistant cryptographic algorithms.
Disrupting and Dismantling Threat ActorS
This pillar aims to combat ransomware and cybercrime with coordinated efforts, including disruption operations against ransomware ecosystems and offering resources to high-risk targets, co-chaired by CISA and the FBI.
Forging International Partnerships to Pursue Shared Goals
This pillar involves development of international cyberspace and digital policy strategies, collaboration with partners and allies, and strengthening of knowledge and skills in cyberspace and digital policy, led by the Department of State.
Shaping Market Forces and Driving Security and Resilience
This pillar, through efforts led by CISA, seeks to increase software transparency through SBOMs to reduce supply chain risks and explore a globally accessible database for end-of-life software.
Overall, the NCSIP emphasizes resilience, equity, and defense in cyberspace and is led by 18 government agencies and coordinated by the Office of the National Cyber Director (ONCD). The NCSIP aligns with the private sector, civil society, international partners, and government entities. It covers key areas like critical infrastructure defense, threat actor disruption, shaping of market forces, investing in resilience, and forging of international partnerships.
In September 2023, the Department of Defense (DOD) released a declassified summary of its classified 2023 Cyber Strategy, aligning it with national security priorities. It builds on lessons learned from cyber operations and the Russia-Ukraine conflict, emphasizing collaboration with allies and partners.
The strategy aims to maximize cyber capabilities for integrated deterrence, enhance cyber network defense, support non-DOD agencies, and safeguard the defense industrial base. Notably, it commits to bolstering collective cyber resilience among allies and integrating cyber capabilities into traditional warfighting efforts. This marks the fourth iteration of the DOD's cyber strategy, informed by significant experience in cyberspace operations.
At the OpenSSF Secure Open Source Software Summit in September 2023, CISA announced its Open Source Software Security Roadmap, which outlines strategic goals and objectives for enhancing the security of open source software (OSS).
The roadmap focuses on four key goals to guide CISA in enhancing OSS security, aligning with broader cybersecurity strategies, and fostering collaboration with the OSS community and international partners:
CISA’s key goals to enhance security of open source software
Data scientists and engineers tasked with deploying open source large language models (LLMs) shoulder a substantial burden, encompassing numerous critical decisions. Given how this dynamic can influence OSS security, CISA established the following goals:
Establish CISA’s role in supporting OSS security, partnering with OSS communities, and encouraging collective action.
Reduce risks to the federal government by evaluating solutions for secure OSS usage, developing open source program office (OSPO) guidance, and prioritizing federal actions in OSS security.
Drive visibility into OSS usage and risks, understanding the prevalence of OSS, developing a risk-prioritization framework, and assessing threats.
Harden the OSS ecosystem, advance SBOMs, foster security education for OSS developers, publish OSS security best practices, and coordinate OSS vulnerability disclosure and response.
NHTSA Cybersecurity Best Practices of Modern Vehicles
In September 2022, the United States Department of Transportation National Highway Traffic Safety Administration (NHTSA) published Cybersecurity Best Practices for the Safety of Modern Vehicles, a document aimed at addressing cybersecurity in modern vehicle manufacturing.
Among many recommendations, the NHTSA guides manufacturers to demonstrate processes and procedures to inventory software assets, track details related to open source software components, continuously monitor and assess risk, and disclose vulnerabilities. Most of these recommendations are also backed by the International Organization of Standardization (ISO) cybersecurity standards.
The Cyber Resilience Act (CRA) was proposed in September 2022, and it was met with mixed reviews. On the surface, it represents an improvement in holding manufacturers liable for the security of the software products they produce. However, it also represents a different direction for holding open source projects and creators liable for vulnerable software and attempts to potentially bring them in line with any traditional supplier. This approach presents interesting issues.
Although open source software is part of the software supply chain, how someone uses the software is often outside the understanding and control of the creator or open source project itself. As currently formulated, the CRA carries the potential to pose substantial barriers to many open source projects and even the distributors of open source software, potentially limiting their accessibility to EU markets. In some cases, it may discourage involvement in open source software in the EU altogether, putting EU-based companies far behind innovation and efficiency leaps in other geographical areas.
The Product Liability Directive (PLD) delineates rules and guidance for the liability and responsibility of manufacturers of defective products as well as suppliers of defective parts for those products. A proposed update in September 2022 marked a notable expansion encompassing software and digital products, which had been excluded previously.
These updates put open source software and any related projects or activity within the potential sights of liability or responsibility associated with defects (i.e., vulnerabilities). For example, as written, there would be potential to find distributors of parts, such as Sonatype/Maven Central, liable for open source vulnerabilities resulting in loss or, in some cases, distress to software product customers.
In December 2022, the European Parliament approved updates to the Network and Information Security Directive (NIS), referring to it going forward as NIS2. NIS2 is an evolution intended to modernize the approach of EU member nations towards cybersecurity. Among a host of updates, NIS2 includes call-outs for improved software supply chain security, greater attention to critical vulnerabilities, the increase of attacks via malicious threats, and the necessity of processes for disclosure and communication, such as Coordinated Vulnerability Disclosure (CVD).
NIS2 makes it clear that "businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive." In addition, there are a number of requirements imposed based on different business categories: Highly Critical Sectors, Critical Sectors, and Essential Entities. In order to help countries address these requirements, ENISA published guidance documentation including Good Practices for Supply Chain Security. Failure to meet the requirements established within NIS2 can result in a number of sanctions.
On October 28, 2022, the Canadian Centre for Cyber Security (the Cyber Centre) released its National Cyber Threat Assessment 2023-2024, warning that state-sponsored and criminal cyber threats are increasingly likely to affect Canadians. The report highlights five key areas of concern: ransomware, critical infrastructure, state-sponsored threats, influence operations, and disruptive technologies.
Among a number of criteria, the report also cites increased risk from remote work, more connected systems, and the proliferation of cybercrime tools. In assigning responsibility, the report points to threat actors in China, Russia, Iran, and North Korea that pose the greatest state-sponsored risk. In response, the Canadian government has invested in cybersecurity, including $875 million in its Budget 2022 to bolster defenses.
In February 2023, the Cyber Centre published "Protecting your organization from software supply chain threats," which offers guidance and best practices for securing software supply chains. The document outlines the importance of minimizing software supply chain risk, including the ability of malware to compromise updates, and the importance of remediating vulnerabilities in OSS components. Recommendations include vetting suppliers, monitoring them continuously, and incorporating supply chain risk management into security programs. Finally, organizations should have recovery plans to ensure business continuity when software supply chain attacks occur.
Published in May 2023, the "Quad Cybersecurity Partnership: Joint Principles for Secure Software" outlines the commitment of the Quad partners (the United States, Japan, India, and Australia) to enhance software security.
Main points of Quad Cybersecurity Partnership
Recognition of security risks
The Quad partners acknowledge the risks associated with the software supply chain being tampered with by adversarial and non-adversarial threats.
Secure software development practices
The document outlines high-level secure software development practices, including preparing the organization, protecting software and its development environment, producing well-secured software, and responding to vulnerabilities.
Promotion of secure software culture
The Quad partners aim to promote a culture where software security is a fundamental aspect of software development.
Government procurement guidelines
Each Quad country intends to adopt guidelines for government procurement of software, including self-attestation by software producers regarding secure development practices and encouraging participation in national vulnerability disclosure programs.
Minimum cybersecurity guidelines
The Quad partners commit to establishing minimum cybersecurity guidelines for governments to guide software development, procurement, and usage, aligned with international obligations and domestic laws.
Security measures for government software use
The Quad partners commit to implementing controls and processes to protect government software and platforms from unauthorized access and usage.
Engagement with the software industry
They plan to engage with the software industry to ensure secure software practices are integrated throughout the software development life cycle, with the goal of reducing vulnerabilities.
In April 2023, the Australian Cyber Security Center (ACSC) published "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default." This is the same document that has become the guiding foundation for the US cybersecurity strategy. Though the guidance has been led by CISA and the FBI in the US, the document represents a collaboration across many international cybersecurity organizations:
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (CCCS)
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
- Germany’s Federal Office for Information Security (BSI)
- Netherlands’ National Cyber Security Centre (NCSC-NL)
- New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
Are software supply chain regulations working?
As we've seen from the analysis above, we're still in the very early stages of implementing true regulation that will hold people accountable for more secure software supply chains.
We also examined attitudes to regulation in the UK and the US, uncovering that large enterprises generally see regulation as a good thing. In fact, 41% of security decision-makers see cyber regulation as the factor having the greatest positive impact on software security. Some, however, lament the volume of cybersecurity regulation, with 44% of business leaders believing there is too much government intervention on cybersecurity overall.
FIGURE 5.2. PERCENTAGE OF SECURITY LEADERS WHO BELIEVE REGULATIONS ARE EFFECTIVE FOR IMPROVING CYBERSECURITY
FIGURE 5.2. PERCENTAGE OF SECURITY LEADERS WHO BELIEVE REGULATIONS ARE EFFECTIVE FOR IMPROVING CYBERSECURITY
Navigating the policy frontier: Global cybersecurity regulations
The global landscape of cybersecurity guidance and regulation in 2023 reflects a marked transformation compared to years past, driven by the ever-increasing urgency to address evolving cyber threats.
Initiatives and regulatory actions taken by key players such as the US, EU, UK, Australia, Canada, Japan, and New Zealand demonstrate a shared commitment to improve digital defenses and safeguard critical infrastructure.
Three key themes have emerged:
- Heightened emphasis on security during software creation.
- Holding software producers accountable for their products.
- The need for robust processes to address cybersecurity incidents.
The global trend of cybersecurity regulations in 2023 demonstrates a growing collective endeavor to adapt to the ever-changing threat environment. Further international cooperation in this regard will be necessary to better prioritize secure software development practices. Regulations covered above as well as future related initiatives will play a pivotal role in shaping the future of cybersecurity policies and practices at scale worldwide.