The President’s Executive Order, Improving the Nation’s Cybersecurity, charted a new course for nation’s cybersecurity. And, we have begun implementation of one of the most important components of the Executive Order. As of yesterday, every company that sells software to the government must have a rigorous software security program in place. The requirement covers traditional commercial on-premise software, software provided as a service, as well as any included open source software components.
We know Americans are concerned about cybersecurity – we’ve seen the cost of ransomware attacks to businesses of all sizes and the disruption it has caused to critical services in countries around the world. And we know that a foundational part of building cyber resilience is building in security throughout the lifecycle of a product, from the initial design phase through deployment. We buy a car with pre-installed seatbelts and airbags. We should be able to buy software with security baked in. With the implementation of this component of the Executive Order, the federal government is leveraging its procurement power to improve the security of the software that we all use – including software we install in some of our nation’s most critical infrastructure.
We thank NIST and our private sector partners for their collaboration to develop the Secure Software Development Framework (SSDF) which NIST published last month. The SSDF contains a set of practices that create the foundation for developing secure software, which every company that sells software to the government must now follow. We also thank OMB for working with the private sector over the next 60 days to outline guidance for how companies will attest their compliance with the SSDF, as they sell software to the United States Government.