The President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028)” issued on May 12, 2021, charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
Section 4 of the EO directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines are to include:
- criteria to evaluate software security,
- criteria to evaluate the security practices of the developers and suppliers themselves, and
- innovative tools or methods to demonstrate conformance with secure practices.
The EO calls for NIST to consult with the National Security Agency (NSA), Office of Management and Budget (OMB), Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI) and then to define “critical software” by June 26, 2021.
NIST is to publish guidance outlining security measures for critical software by July 11, 2021, after consulting with CISA and OMB.
Also by July 11, 2021, after consulting with the NSA, NIST will publish guidelines recommending minimum standards for vendors’ testing of their software source code.
By November 8, 2021, NIST is to publish preliminary guidelines, based on stakeholder input and existing documents for enhancing software supply chain security.
By February 6, 2022, after consulting heads of various agencies, NIST is to issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.
By May 6, 2022, NIST will publish additional guidelines, including procedures for periodically reviewing and updating guidelines.
The EO also directs NIST to initiate two labeling programs related to the Internet of Things (IoT) and software to inform consumers about the security of their products. Those efforts have initial deadlines of February 6, 2022. NIST will issue a summary report about cybersecurity labeling of consumer IoT products or consumer software products by May 12, 2022, in accordance with the executive order.
Like its other assignments in the EO, NIST is relying heavily on stakeholder ideas and information in carrying out these tasks.
