The January 16th release of what is believed to be the Biden administration’s final executive order is showcasing some of the strongest language yet focused on driving greater progress towards enhancing software supply chain security, Post Quantum Cryptography (PQC) adoption, and cryptographic posture management. The executive order sets stringent standards and promotes advanced security practices not only for government agencies, but the private sector as well.
With recent successful supply chain attacks targeting trusted vendors and their government customers (see the US Treasury-Beyond trust breach), the integrity of our software supply-chain has once again been thrust into focus. This latest executive order will help to establish a common standard for submitting machine readable software attestations and supporting artifacts like software and cryptographic bill of materials.
On the topic of PQC, there will be a concerted effort to expand awareness around PQC-ready products by providing a list of product categories that support PQC. Subsequently, agencies will be required to include a requirement for products that support PQC preparedness and adoption in future solicitations. Lastly, agencies will be required to start adopting new PQC standards after identifying network security products and services that are actively employed within their systems. There will also be direct outreach from the U.S. government to its allies and partners to encourage similar action within their technology environments.
Finally, within the area of cryptographic posture management, the executive order focuses on requiring Federal Civilian Executive Branch (FCEB) agencies to adopt best practices around protecting the root of trust for systems –specifically, key generation, usage, and overall lifecycle management. The foundational components of a root of trust revolve around hardware security modules (HSMs), trusted execution environments (TEEs), Trusted Platform Modules (TPMs), and entropy sources, to name a few. All of which have been incorporated into modern secure computing solutions from major hardware providers like Intel with its confidential computing platform and Marvell with its next generation Liquid-Security HSM adapters.
By including such solutions into ongoing zero trust and technology modernization projects, the FCEB and its industry partners will raise the cost of supply-chain attacks and simultaneously increase integrity and security of its supply chain ecosystem.
As the Biden administration concludes its term, this executive order sets a robust framework for future cybersecurity initiatives. By establishing common standards for software attestations, promoting PQC readiness, and enforcing best practices in cryptographic posture management, the order aims to fortify the integrity and security of the nation’s software supply chain. It should serve as a signal of what is to come with the new Trump administration. With a keen focus on further protecting U.S. intellectual property and sovereignty from emerging supply-based and quantum attacks.
As we move forward, it is crucial for government agencies and the private sector alike to actively engage in implementing these directives. Together, we can enhance our collective cybersecurity posture and protect our digital infrastructure from emerging threats. Let us commit to adopting these best practices and innovations, ensuring a safer and more secure future for all.
Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group “Information Security Community”!