On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase.
Softening the Blow: OMB Extends Software Supply Chain Security Deadline and Clarifies Scope
On June 9, 2023, the Office of Management and Budget (OMB) released M-23-16, Update to Memorandum M-22-18, which alters key deadlines and clarifies how agencies and software developers can comply with M-22-18. The original memorandum, published in September 2022, required all federal agencies and their software developers to comply with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance (collectively, NIST Guidance) whenever third-party software is used on government information systems or otherwise affects government information.
MOVEit Vulnerability: What to Know and What to Do
A new Cybersecurity & Infrastructure Security Agency (CISA) alert advises that, starting in late May, a well-known ransomware group called Clop compromised a widely used managed file transfer (MFT) platform called MOVEit Transfer, reportedly impacting hundreds of companies globally.
MFT platforms are used to securely transfer files between parties, and Clop reportedly compromised MOVEit Transfer using a previously unknown (zero-day) vulnerability that allowed attackers to steal files from MOVEit’s underlying database. This vulnerability is now tracked as CVE-2023-34362.
Clop has previously targeted MFT platforms such as Accellion and has shown that it is prepared to follow through on threatened next steps. In this case, Clop is threatening to identify victim companies on the Clop site as soon as June 14 and then, if a ransom is not paid, publish victims’ stolen data. In prior attacks, Clop has also reportedly contacted victim companies directly with ransom demands, sometimes weeks or more after the attack. We do not recommend that victims contact threat actors like Clop directly but instead work with experts to do so safely, if necessary.
Continue Reading MOVEit Vulnerability: What to Know and What to Do
Save the Last (Byte) Dance: New Interim Rule Bars TikTok and Successor ByteDance Apps
On June 2, 2023, the FAR Council issued an Interim Rule with immediate effect that prohibits the presence or use of the TikTok app on “information technology” (IT) equipment used by government contractors and contractor personnel in the performance of a contract. The interim rule mirrors the Office of Management and Budget’s guidance, which directed federal agencies to remove TikTok and successor apps made by Chinese company ByteDance Limited from federal devices (to implement the No TikTok on Government Devices Act).
CISA Releases Draft Secure Software Development Self-Attestation Form
On April 28, 2023 the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited draft Secure Software Development Self-Attestation Form. The form is a key component of the mandatory software supply chain security requirements introduced by last fall in Office of Management and Budget (OMB) Memorandum M-22-18. The Form requires certain software developers to attest to specific security elements of their software development life cycle (SDLC) and their development environment.
Background
In May 2021, the Biden Administration issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” The EO directed the federal government to prioritize software supply chain security, including by creating secure software development practices for federal software acquisitions. Pursuant to the EO, in February 2022 the National Institute of Standards and Technology (NIST) published NIST Special Publication 800-218 and the NIST Software Supply Chain Security Guidance (collectively, the NIST Secure Software Development Framework, or NIST SSDF), providing software development-focused security controls and best practices for federal agencies and their commercial software partners.
OMB Memorandum M-22-18, published on September 14, 2022, requires companies providing software to the federal government to complete the self-attestation form to certify that they comply with the NIST SSDF controls and guidance whenever third-party software is used on government information systems or otherwise affects government information.
Continue Reading CISA Releases Draft Secure Software Development Self-Attestation Form
Biden Administration Releases Comprehensive National Cybersecurity Strategy
On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”
Summary and Analysis
The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses. It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take.
Continue Reading Biden Administration Releases Comprehensive National Cybersecurity Strategy
Going Hard on Software: OMB Unveils Mandatory Software Supply Chain Security Compliance Requirements
Yesterday, the Office of Management and Budget (OMB) released Memorandum M-22-18, implementing software supply chain security requirements that will have a significant impact on software companies and vendors in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity. The Memorandum requires all federal agencies and their software suppliers to comply with the NIST Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance whenever third-party software is used on government information systems or otherwise affects government information. The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. It is critical to note that these requirements will apply whenever there is a major version update or new software that the government will be using.
No Summer Break for Cyber: Newly Unveiled CMMC Assessment Process Provides Industry with Upcoming Assessment Insights
After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP). The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification. The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.