On May 12, 2021, U.S. president Joe Biden issued an executive order on “Improving the Nation’s Cybersecurity” (Executive Order 14028). It was created in response to the growing number of cyberattacks launched against government agencies, critical infrastructure, and private companies based in the U.S.
Executive Order 14028 aims to help both the U.S. government and the private sector better protect themselves against cyber threats. To achieve this goal, the order establishes a framework that explains how to improve cybersecurity in the U.S. and specifies the technologies and practices required for this purpose. Specifically, EO 14028 requires organizations to implement three cybersecurity measures:
• Securing development processes to prevent supply chain attacks.
• Scanning application code to ensure it is secure.
• Creating a software bill of materials (SBOM) to identify if there are vulnerable components used within a software application.
This is part of a series of articles about SBOM.
Here are the main parties affected by Executive Order 14028:
Executive Order 14028 outlines four main requirements to strengthen the security posture of U.S. agencies, federal contractors, and the general public. Here is a brief overview of these requirements:
Sharing threat intelligence
Section 2 of the order requires all federal contracts, including cloud providers and cyber security providers, to share their threat intelligence and report on incidents. They must directly inform the agency affected, report all cyber events to CISA (the Cybersecurity and Infrastructure Security Agency), and cooperate in all investigations.
Implementing stronger security measures
Various sections of the order require federal agencies and critical infrastructure institutions to adopt adequate security standards. For example, section 3 directs the implementation of zero trust security, section 6 directs CISA to build an incident response playbook to be adopted as a standard for all government agencies, and section 7 requires implementing endpoint detection and response (EDR) technology.
Improving software supply chain security
The order mandates improving the security of all software used by federal government agencies. This part is explained in section 4, which directs NIST to review information from various sources, including agencies and private companies, and create standards for building and using software securely.
For example, the order requires using automated tools to secure development environments, generating software bill of materials (SBOM) reports to drive transparency, encrypting data, disclosing vulnerabilities, and more. The Office of Management and Budgeting (OMB) is directed to enforce these practices.
Investigating incidents to prevent future occurrences
The order seeks to ensure that incidents do not repeat themselves and the U.S. improves its overall security rapidly to better defend and prevent security incidents. The order directs the Attorney General and the Secretary of Homeland Security to establish a cyber safety review board to achieve this aim.
This board is required to review and assess significant cyber incidents affecting the information systems of federal civilian executive branch (FCEB) agencies and non-federal systems, as well as vulnerabilities and agency responses. Section 5 directs the Secretary of Homeland Security to prolong the mandate of this board every two years as deemed necessary unless otherwise stated by the president.
Here are three key steps that can help get you closer to complying with Executive Order 14208:
The order requires securing development environments and processes by:
• Achieving visibility into software development infrastructure to determine where security processes and tools should be implemented.
• Implementing control over access to continuous integration (CI) pipelines, code repositories, and artifact registries, and adopting least-privileged access throughout the software delivery lifecycle (SDLC).
• Securing the development environment by scanning for security vulnerabilities and licensing issues on each build, to prevent malicious add-ons.
• Using separately administered build environments and auditing relationships of trust.
• Documenting and reducing dependencies as much as possible in enterprise products that comprise the environment used to develop, edit, and maintain software.
The order includes more directives to ensure secure software development and minimize supply chain risks.
The order places importance on verifying that all source code is written securely and can be trusted. Code scanners can help with this aspect by automatically identifying vulnerabilities, malware, secrets, and other threats. Organizations should identify vulnerabilities during the early phases of the SDLC to ensure detection when it is easiest and cost-effective to fix issues.
Organizations can shift security left more easily by using code scanners that automate the process of identifying vulnerabilities, integrate with IDEs and CI/CD tools, and run against binaries. Tools with low false positive rates and policy automation are preferable to prevent alert fatigue and ensure teams have time to focus on pressing security issues.
An SBOM tool generates a list of all components included within a certain piece of software. The order requires using SBOM regularly, directing organizations and agencies to use it to meet compliance.
An SBOM can help determine whether a certain software product is safe to use in the code, holding third-party software suppliers accountable for the security and quality of their products. It provides information about the open-source and proprietary dependency tree, including information about vulnerabilities and the specific license of each component.
Cybeats' SBOM Studio is a comprehensive solution designed to manage and distribute software bill of materials (SBOMs) in a single platform. It provides organizations with a centralized view of cybersecurity vulnerabilities, enabling them to improve the visibility and security of their software supply chain. SBOM Studio is useful for organizations of all sizes and industries, as it helps them to improve their vulnerability management processes, reduce the cost of protection, and enhance compliance.
SBOM Studio is also agnostic to SBOM generation tools, meaning it can work with any tool to validate and correct imported SBOMs, improving the accuracy of SBOMs. In addition, it simplifies the implementation process, speeds up the fixing of vulnerabilities, and automates SBOM management, ultimately improving the return on investment of SBOM adoption in an organization.
After generating software bill of materials (SBOMs) using any SBOM generation tool, clients who upload their SBOMs to Cybeats' SBOM Studio can gain valuable insights into their software supply chain with the following features:
• During the import of SBOMs, SBOM Studio will validate the SBOM to ensure correct formatting according to the specification of the SBOM standards
• SBOMs that are not accurately formatted will either be auto-corrected for recoverable errors or rejected with meaningful information describing the root cause of the misalignment
• SBOM Studio enriches SBOMs as part of the import process, populating them with key information and details about the software supply chain intelligence data
• Continuous process of monitoring SBOMs, autonomous scanning for new vulnerabilities. SBOMs are living and breathing in SBOM Studio
• Categorizes and filters vulnerabilities by level of criticality to inform decision making
• Search for and identify specific SBOMs rapidly, and confidently and securely identify compromised components across the organization
• Prompts cyber teams with the recommended actions to optimally fix vulnerabilities and reduce cyber risk
• Display and categorizes vulnerabilities by level of criticality for prioritization of security workflow
• In leveraging a robust data lake, accurately determine how vulnerabilities affect your organization’s security posture
• Native plug-ins and other integrations that allow for seamless workflow
• User-intuitive interface is easy to learn and understand
• Securely share SBOMs with regulatory agencies, internal and external customers
• Share product SBOMs, while keeping your IP protected
• Ability to redact and hide specific parts of an SBOM before they are shared externally
• SBOM language agnostic with acceptance of all SBOMs, and easy conversion between SBOM languages
• Report generation and visually appealing dashboard, for use by leadership, to bridge gaps between vulnerability status and the budgeting, forecasting, risk-mitigation, prioritization strategies
• Offers‘ Governor View’ vantage that allows enhanced visibility into all the layers and subsidiaries of the core business, giving development, cyber teams and leadership more information to better prioritize and evaluate the risks and associated costs across the organization
• Satisfy Governance, Risk and Compliance (GRC) requirements by showing best practices and good cyber hygiene by having an SBOM for all of your own software, and for any 3rd-party products used by your enterprise
• License Infringement Notifications, when software that is used without permissions or licenses that can have associated legal risk and cost
• Industrial Controls and Critical Infrastructure
• Healthcare and Medical
• Enterprise
• Automotive and Aerospace
March 19, 2024
Tern is an open source software composition analysis and SBOM generation tool that generates SBOMs from container images. However, upon running this tool and generating a CycloneDX SBOM, a problem arose.
Read More →March 4, 2024
As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, "Recommendation 4B: Promote Supply Chain
Read More →December 15, 2023
Notably, the Health Information Sharing and Analysis Center (Health-ISAC) is entering into a partnership with Cybeats, a leading software supply chain intelligence company, marking a substantial advancement in healthcare cybersecurity.
Read More →