Cyber Director’s Preview of National Strategy Highlights Federal Software Procurement

National Cyber Director Chris Inglis plans to maintain the government’s focus on software procurement as part of a long overdue cybersecurity strategy that will center on government spending—starting with funding already appropriated by Congress—according to the readout of a recent meeting of presidential advisors.

“Mr. Inglis said that government procurement of secure software should be included in the national cybersecurity strategy,” reads the Cybersecurity and Infrastructure Security Agency  summary of a Dec.1 meeting of the president’s National Security Telecommunications Advisory Committee. “He underscored that it should be easier for agencies to procure safer products.”

The president’s NSTAC is made up of representatives from the federal software vendor pool, including: Unisys Corp.; Microsoft Corp.; NightDragon Security, LLC; Cohere Technologies, Inc.; Palo Alto Networks, Inc.; Communication Technologies, Inc.; Two Island Partners; Tenable Holdings, Inc.; Qualcomm; MediaKind, Inc.; Ciena Corp.; and Lumen Technologies, Inc.

During the meeting, CISA Executive Director Brandon Wales read through a series of actions the administration has taken based on the NSTAC’s recommendations. The list included a binding operational directive for agencies to conduct weekly scans of their networks and digital assets; the alleviation of compliance concerns with export controls on standards participation; support in the President’s FY 2023 budget along with a state and local grant program for transitioning to a ‘zero trust’ cybersecurity approach; post-quantum cryptography plans; and the Defense Department prototyping fifth-generation telecommunication networks.

Inglis said the national cybersecurity strategy, which is long overdue and was expected this fall, is still not final but that the administration has already begun implementing “steps to begin the process of rebuilding the country’s cybersecurity infrastructure,” according to the readout.

“This process began with two key pieces of legislation that have been passed into law—the Infrastructure Investment and Jobs Act and the Inflation Reduction Act of 2022,” the readout says, noting. “Mr. Inglis explained that these two laws are being utilized to rebuild both U.S. physical and digital infrastructure.”  

His remarks echo efforts already underway through implementation of a May 2021 executive order on cybersecurity, which initially suggested agencies should require a software bill of materials, or SBOM, as a procurement condition. SBOMs are intended to give end users greater visibility into the software components that could enter their networks. But after leaving it up to agencies to determine their own SBOM requirement under the order, the Office of Management and Budget is now under pressure from the industry to actively discourage agencies from asking prospective contractors for an SBOM.

Inglis said the new national cybersecurity strategy should be implemented across all of the government, while noting that the U.S. “must construct—from the ground up—defensive infrastructure based on the principles of zero trust,” according to the readout. 

He also “conceded the complexity of this task and stated that to accomplish it, the government must harness the capabilities of public-private partnerships such as NSTAC,” reads the meeting summary.

During the meeting, Microsoft’s Scott Charney reported on the NSTAC’s plans to show how there is already software security assurance in federal procurement.

The group is “examining the way in which the federal government requirements have been promulgated, assurance has been proved and compliance has been communicated,” according to the readout, which says the committee will also recommend ways to reduce security compliance obligations with various agencies that regulate cybersecurity for different sectors of critical infrastructure. 

“Mr. Charney explained that as the challenges are not limited to federal government procurement, the subcommittee is also examining the persistent challenge posed by an increasing number of sector-specific security requirements,” according to the readout. “He stated that the goal is to identify how the government can meaningfully streamline regulatory processes and promote cross-sector harmonization to ensure that assurances with security requirements [are] more effective and efficient.” 

The NSTAC will deliberate over and vote on the committee’s new recommendations during their next meeting, set for February 2023.