Establishment and Expansion of Software Supply Chain Regulations and Standards

Worldwide, we continue to see a push for digital transformation not only in the private sector but increasingly through government guidance and regulation. In 2022, the European Union Agency for Cybersecurity (ENISA) identified the compromise of software supply chains through software dependencies as the foremost emerging threat. Recognizing the profound implications of cyber threats to national security and economic stability, the United States (US) and the European Union (EU) have taken the lead in orchestrating robust regulatory frameworks and providing substantive guidance to fortify defenses against escalating cyber risks. Their comprehensive approach to cybersecurity includes stringent requirements for critical infrastructure sectors, enactment of rigorous data protection laws, and enhancement of international cooperation to combat cybercrime.

However, various regions across the globe are experiencing notable surges in cybersecurity endeavors outside the US and EU. Canada, Japan, Australia, Germany, and others are acknowledging the criticality of securing software supply chains by drafting legislation and building capabilities to thwart cyber threats. While the bulk of documented guidance and regulation is coming from the US and EU, it’s clear the pressing need to safeguard the digital realm is a global imperative.

What’s happening around the world?

United States

 

National Cybersecurity Strategy

The National Cybersecurity Strategy (NCS) has been hailed as the foundational document for advancing cybersecurity and is shaping legislation globally. Its comprehensive content underscores the urgency of enhancing cybersecurity both in the US and internationally. Addressing a wide range of areas from infrastructure — related to incidents like SolarWinds and NotPetya — to software bill of materials (SBOM) alignment with Executive Order (EO) 14028, the NCS emphasizes the growing importance of security in software design. Moreover, it underscores impending changes in accountability for software manufacturers. Specifically, organizations unable to prove security is inherently integrated into their software design will face increased responsibilities and liabilities.

Securing Open Source Software Act of 2023 

In March 2023, Congress introduced legislation "to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency regarding open source software security, and for other purposes."

AI for National Security Act

In March 2023, the House Armed Services Committee introduced legislation "to make certain improvements to the enterprise-wide procurement of cyber data products and services by the Department of Defense and for other purposes." In subsection (b), it inserts "including by enhancing the security of the software supply chain of the Department" after "best interests of the Department."

FDA Cybersecurity in Medical Devices

On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") became law. Within it, Section 3305 titled "Ensuring Cybersecurity of Medical Devices" updated the Federal Food, Drug, and Cosmetic Act (FD&C Act) by introducing Section 524B on device cybersecurity. According to the Omnibus, cybersecurity mandates won't apply to applications or submissions made to the Food and Drug Administration (FDA) before March 29, 2023.

SEC regulations

Similar to the FDA, the Securities and Exchange Commission (SEC) proposed a number of rules (33-11028, 33-11038, 34-91742) for public companies, the securities market, advisers, funds, and others within SEC's regulatory scope. This move responds to various findings, including those by the FBI and Congress as well as Cybersecurity and Infrastructure Security Agency (CISA), that state "cybersecurity incidents are underreported." 

Among the new rules are requirements for organizations to demonstrate the development of robust processes and procedures for vulnerability management, detection, mitigation, and remediation. In addition to these requirements, the SEC has proposed specific rules concerning the disclosure of said processes and procedures. 

In July 2023, the SEC adopted new rules compelling organizations to disclose significant cybersecurity incidents and provide annual cybersecurity risk management, strategy, and governance information, with comparable requirements for foreign private issuers. Registrants must also describe their cybersecurity risk assessment processes and board oversight in an annual report. 

SEC Chair Gary Gensler emphasized that any material event, including cybersecurity incidents, should be disclosed to benefit investors and the market. The rules mandate disclosing the specifics of a significant cybersecurity incident — namely, its nature, scope, timing, and impact — within four business days unless it's deemed a national security risk by the U.S. Attorney General, in which case it can be delayed. 

Secure Software Self-Attestation Common Form

In April 2023, this document was released for comments. It represents a sequence of events initiated by EO 14028, which directed National Institute of Standards and Technology (NIST) to provide guidance on secure software development standards. EO 14028 also directed the Office of Management and Budget (OMB) to require federal agencies to collect information from software manufacturers that supply software products to the US government. The OMB responded with M-22-18, setting the guidelines for requiring federal agencies to collect this information.

As part of these guidelines, software manufacturers must attest to using secure software development best practices highlighted in the memo and developed by NIST. While this is simply a first step, it aligns with the secure-by-design-and-default approach CISA has released. It incorporates secure software development best practices from NIST's Secure Software Development Framework (SSDF) and asks organizations providing software to the US government to self-attest that they have embedded this guidance into their software development process. 

National Cybersecurity Strategy Implementation Plan

In July 2023, the Biden-Harris Administration released the National Cybersecurity Strategy Implementation Plan (NCSIP) to align roles, responsibilities, and resources in cyberspace. 

It focuses on two shifts:

• Greater burden-sharing in cybersecurity by major entities
• Promotion of long-term cybersecurity investments

The plan outlines over 65 high-impact initiatives, from combating cybercrimes to building a skilled cyber workforce, which aligns to the five pillars outlined in the NCS:

Overall, the NCSIP emphasizes resilience, equity, and defense in cyberspace and is led by 18 government agencies and coordinated by the Office of the National Cyber Director (ONCD). The NCSIP aligns with the private sector, civil society, international partners, and government entities. It covers key areas like critical infrastructure defense, threat actor disruption, shaping of market forces, investing in resilience, and forging of international partnerships.

Cyber Strategy of the Department of Defense (Declassified)

In September 2023, the Department of Defense (DOD) released a declassified summary of its classified 2023 Cyber Strategy, aligning it with national security priorities. It builds on lessons learned from cyber operations and the Russia-Ukraine conflict, emphasizing collaboration with allies and partners. 

The strategy aims to maximize cyber capabilities for integrated deterrence, enhance cyber network defense, support non-DOD agencies, and safeguard the defense industrial base. Notably, it commits to bolstering collective cyber resilience among allies and integrating cyber capabilities into traditional warfighting efforts. This marks the fourth iteration of the DOD's cyber strategy, informed by significant experience in cyberspace operations.

CISA Open Source Software Security Roadmap

At the OpenSSF Secure Open Source Software Summit in September 2023, CISA announced its Open Source Software Security Roadmap, which outlines strategic goals and objectives for enhancing the security of open source software (OSS). 

The roadmap focuses on four key goals to guide CISA in enhancing OSS security, aligning with broader cybersecurity strategies, and fostering collaboration with the OSS community and international partners:

NHTSA Cybersecurity Best Practices of Modern Vehicles

In September 2022, the United States Department of Transportation National Highway Traffic Safety Administration (NHTSA) published Cybersecurity Best Practices for the Safety of Modern Vehicles, a document aimed at addressing cybersecurity in modern vehicle manufacturing. 

Among many recommendations, the NHTSA guides manufacturers to demonstrate processes and procedures to inventory software assets, track details related to open source software components, continuously monitor and assess risk, and disclose vulnerabilities. Most of these recommendations are also backed by the International Organization of Standardization (ISO) cybersecurity standards.

European Union

 

Cyber Resilience Act

The Cyber Resilience Act (CRA) was proposed in September 2022, and it was met with mixed reviews. On the surface, it represents an improvement in holding manufacturers liable for the security of the software products they produce. However, it also represents a different direction for holding open source projects and creators liable for vulnerable software and attempts to potentially bring them in line with any traditional supplier. This approach presents interesting issues. 

Although open source software is part of the software supply chain, how someone uses the software is often outside the understanding and control of the creator or open source project itself. As currently formulated, the CRA carries the potential to pose substantial barriers to many open source projects and even the distributors of open source software, potentially limiting their accessibility to EU markets. In some cases, it may discourage involvement in open source software in the EU altogether, putting EU-based companies far behind innovation and efficiency leaps in other geographical areas.

 

Product Liability Directive

The Product Liability Directive (PLD) delineates rules and guidance for the liability and responsibility of manufacturers of defective products as well as suppliers of defective parts for those products. A proposed update in September 2022 marked a notable expansion encompassing software and digital products, which had been excluded previously. 

These updates put open source software and any related projects or activity within the potential sights of liability or responsibility associated with defects (i.e., vulnerabilities). For example, as written, there would be potential to find distributors of parts, such as Sonatype/Maven Central, liable for open source vulnerabilities resulting in loss or, in some cases, distress to software product customers.

Network and Information Security Directive

In December 2022, the European Parliament approved updates to the Network and Information Security Directive (NIS), referring to it going forward as NIS2. NIS2 is an evolution intended to modernize the approach of EU member nations towards cybersecurity. Among a host of updates, NIS2 includes call-outs for improved software supply chain security, greater attention to critical vulnerabilities, the increase of attacks via malicious threats, and the necessity of processes for disclosure and communication, such as Coordinated Vulnerability Disclosure (CVD). 

NIS2 makes it clear that "businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive." In addition, there are a number of requirements imposed based on different business categories: Highly Critical Sectors, Critical Sectors, and Essential Entities. In order to help countries address these requirements, ENISA published guidance documentation including Good Practices for Supply Chain Security. Failure to meet the requirements established within NIS2 can result in a number of sanctions.

Canada

On October 28, 2022, the Canadian Centre for Cyber Security (the Cyber Centre) released its National Cyber Threat Assessment 2023-2024, warning that state-sponsored and criminal cyber threats are increasingly likely to affect Canadians. The report highlights five key areas of concern: ransomware, critical infrastructure, state-sponsored threats, influence operations, and disruptive technologies. 

Among a number of criteria, the report also cites increased risk from remote work, more connected systems, and the proliferation of cybercrime tools. In assigning responsibility, the report points to threat actors in China, Russia, Iran, and North Korea that pose the greatest state-sponsored risk. In response, the Canadian government has invested in cybersecurity, including $875 million in its Budget 2022 to bolster defenses. 

In February 2023, the Cyber Centre published "Protecting your organization from software supply chain threats," which offers guidance and best practices for securing software supply chains. The document outlines the importance of minimizing software supply chain risk, including the ability of malware to compromise updates, and the importance of remediating vulnerabilities in OSS components. Recommendations include vetting suppliers, monitoring them continuously, and incorporating supply chain risk management into security programs. Finally, organizations should have recovery plans to ensure business continuity when software supply chain attacks occur.

Global partnerships

 

Quad Cybersecurity Partnership: Joint Principles for Secure Software

Published in May 2023, the "Quad Cybersecurity Partnership: Joint Principles for Secure Software" outlines the commitment of the Quad partners (the United States, Japan, India, and Australia) to enhance software security.

 

Secure by Design and Default International Support

In April 2023, the Australian Cyber Security Center (ACSC) published "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default." This is the same document that has become the guiding foundation for the US cybersecurity strategy. Though the guidance has been led by CISA and the FBI in the US, the document represents a collaboration across many international cybersecurity organizations:

• Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
• Canadian Centre for Cyber Security (CCCS)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)
• Germany’s Federal Office for Information Security (BSI)
• Netherlands’ National Cyber Security Centre (NCSC-NL)
• New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)

The significance of this collaboration cannot be overstated as it represents a pivotal shift in cybersecurity responsibility towards software organizations. As previously discussed, the "Secure by Design and by Default" approach highlights the crucial integration of security into the design and default settings of technology products, effectively mitigating cyber threats. It emphasizes that the onus of security should not solely rest on end-users, compelling technology manufacturers to prioritize security as a core business objective. To achieve success, a global shift towards embracing Secure-by-Design and Secure-by-Default practices is imperative, fostering transparency, accountability, and collaboration between manufacturers and customers. This necessitates manufacturers being held accountable for product security outcomes and prioritizing Secure-by-Design and Secure-by-Default principles when making technology procurement decisions. Overall, this guidance shapes future cybersecurity policies by advocating for proactive security measures and shared responsibility within the technology ecosystem.

Are software supply chain regulations working? 

As we've seen from the analysis above, we're still in the very early stages of implementing true regulation that will hold people accountable for more secure software supply chains. 

But, especially in the US, the conversation and incremental changes since President Biden’s Executive Order 14028, Improving the Nation's Cybersecurity, are starting to become noticeable. As a direct requirement of the executive order, the OMB was instructed to develop policy for federal agencies working with government contractors. Following that directive, the OMB released M-22-18, highlighting the importance and potential requirement for SBOMs, especially as part of new self-attestation standards. To understand this further, we surveyed 217 Cybersecurity Directors in organizations with over £50 million/$50 million revenue in the UK and US respectively, and asked to what extent various policies were affecting their actions toward software supply chain management today.

A huge majority (76%) of enterprises have adopted SBOMs since EO 14028's introduction. Another 16% plan to implement SBOMs within the next year, showing increasing recognition of the correlation between open source hygiene and cybersecurity posture. Of the three-quarters of companies with SBOMs in place, only 4% adopted them over three years ago, demonstrating how much practices have evolved since EO 14028.

Our research also confirmed EO 14028 has influenced enterprises' software development practices in ways transcending SBOMs. Respondents are increasingly investing in technologies to improve software supply chain management, including vulnerability scanning (30%), software composition analysis (24%), supply chain automation (23%), threat intelligence (22%), and bug bounty programs (20%). The regulation has also fueled investment in skills and operations like employee training and awareness (26%), recruiting developer talent (21%), and processes to assess supply chain risks (24%).

We also examined attitudes to regulation in the UK and the US, uncovering that large enterprises generally see regulation as a good thing. In fact, 41% of security decision-makers see cyber regulation as the factor having the greatest positive impact on software security. Some, however, lament the volume of cybersecurity regulation, with 44% of business leaders believing there is too much government intervention on cybersecurity overall.

Navigating the policy frontier: Global cybersecurity regulations

The global landscape of cybersecurity guidance and regulation in 2023 reflects a marked transformation compared to years past, driven by the ever-increasing urgency to address evolving cyber threats.

Initiatives and regulatory actions taken by key players such as the US, EU, UK, Australia, Canada, Japan, and New Zealand demonstrate a shared commitment to improve digital defenses and safeguard critical infrastructure.

Three key themes have emerged:

• Heightened emphasis on security during software creation.
• Holding software producers accountable for their products.
• The need for robust processes to address cybersecurity incidents.

The global trend of cybersecurity regulations in 2023 demonstrates a growing collective endeavor to adapt to the ever-changing threat environment. Further international cooperation in this regard will be necessary to better prioritize secure software development practices. Regulations covered above as well as future related initiatives will play a pivotal role in shaping the future of cybersecurity policies and practices at scale worldwide.