A majority of organizations required to adhere to the software security reporting requirements, set forth by the Cybersecurity and Infrastructure Security Agency, were not prepared to comply by today’s deadline, according to a survey conducted by Lineaje, a company that provides software supply chain risk management to software companies.
The report indicated that 84% of respondents, who were mostly software contractors, failed to meet cybersecurity standards by instituting a Software Bills of Materials, which were required in May 2021 via Executive Order 14028. According to the survey, lack of compliance can be attributed to budget and staff restrictions, as well as not enough awareness of what’s required.
SBOMs are an inventory of software components and is seen as the “key building block” in software security and supply chain risk management.
“These findings demonstrate that, in many cases, the federal government’s efforts to prevent cyber infiltration have yet to translate into real-world action,” according to the report.
CISA did not immediately return a Federal Times request for comment.
These required self-attestation forms, entitled Software Development Attestation Form and are part of the presidential order, are a way for software producers that sell to the federal government to affirm they are following guidelines to ensure their networks are secure. The directive requires these service providers to share with the federal government any cyber incidents and threat information that could impact the federal government’s IT systems. The forms were due June 11, 2024, according to a White House memorandum.
The federal government is pushing the need for a secure software supply chain as incidents in the past exemplify its necessity. For example, in 2020 a malicious code was added into SolarWinds software that resulted in and opening into the digital infrastructure of the federal agencies and large corporations being compromised, according to a 2022 White House briefing.
“This incident was one of a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector,” according to the briefing.
According to the survey, 65% of respondents said their companies were unaware of EO 14028. Of the companies that were aware of the order, roughly half said they’re not knowledgeable on its specific requirements.
“Executive Order 14028 urges organizations working with government agencies to modernize their security protocols, including generating SBOMs and attestation to secure development practices, which is viewed as a major leap forward for national cybersecurity,” Katie Norton, the research manager of DevSecOps and software supply chain security at IDC, said in the release. “However, most organizations are unaware of their exposure and are inadequately protected, leaving them prone to supply chain attacks.”
Norton said IDC research revealed that 23% of those surveyed were victims of a software supply chain attack, which is a 241% increase from the year before and exemplifies the need for an increase in awareness on this issue among these professionals.
The survey collected information from over 100 security professionals. It compiled data that showcases 45% of respondents list budget limitations and 36% list staffing resource issues for slow response time in securing their companies’ software supply chains.
“The efforts of the federal government to safeguard our software supply chain are laudable — but it’s clear that awareness has fallen short,” CEO and co-founder of Lineaje Javed Hasan said in the release. “While businesses can’t build without open-source software, they also can’t survive long-term if that same open-source software is riddled with security vulnerabilities. Software vendors and cybersecurity professionals need to educate themselves and take immediate action on the upcoming compliance deadlines to protect their organizations and contribute to enhancing the nation’s overall cybersecurity posture.”
While the executive order doesn’t carry the force of law, their compliance is incentivized. For example, there are benefits to adhering to the federal government’s rules if companies wish to do business with them.
Agencies are in the process of ironing out a rule that would require software companies to comply with the executive order, according to the latest regulatory update from the Department of Defense.
Cristina Stassis is an editorial fellow for Defense News and Military Times, where she covers stories surrounding the defense industry, national security, military/veteran affairs and more. She is currently studying journalism and mass communication and international affairs at the George Washington University.