Introduction and overview of guidance
Executive Order (EO) 14028 on “Improving the Nation’s Cybersecurity,” issued on May 12, 2021, directed the National Institute of Standards and Technology (NIST) to publish guidance on practices for software supply chain security. More details on EO 14028 can be found at reedsmith.com. Following this directive, NIST published guidance on February 4, 2022 to assist federal agencies in determining what information to request from software producers regarding their secure software development practices. The procurement of software includes firmware, operating systems, applications, application services (e.g., cloud-based software), and products containing software. Additionally, the guidance has provisions outlining how to ensure and verify that the software has the appropriate lifecycle management and security and how to establish these safeguards during procurement.
Although NIST drafted the guidance to assist federal agencies, it also applies to private businesses that sell or resell software products to federal agencies, and can be used by private businesses in negotiating software contracts and as part of a programmatic approach to information security.
Global increase in cybersecurity risks
Globally and across industries, businesses are experiencing an increase in cybersecurity threats. Indications are that cybercrimes of all types are on the rise, with ransomware demands rising and incidents being more damaging to systems than in the past. The ongoing conflict between Russia and Ukraine has highlighted the rising risks associated with cybersecurity events, as bad actors take advantage of the turmoil and seek to interrupt the economies and operations of the countries. There is heightened risk for entities conducting business in Russia or Ukraine, and for those nations and private entities that have imposed sanctions. Potential significant targets include financial services and utilities.
Reliance on software vendors and third party service providers without proper information security controls in place can increase the risk of a cybersecurity event in your organization, and both procurers and suppliers should be aware of the risks presented by bad actors.
The NotPetya and SolarWinds incidents present particularly notable examples of the cybersecurity risks that may arise in the software supply chain. NotPetya, a global malware attack in 2017 believed to have been perpetrated by Russian government hackers, initially targeted Ukrainian companies. The attack was propagated when malicious code was inserted into a routine update to Ukraine tax preparation software but caused collateral damage to entities around the world. Similarly, the SolarWinds hack, perpetrated by a group of hackers who are also believed to be Russian, added malicious code to a software system that was pushed out to the companies’ customers through a normal update protocol. The code in the SolarWinds update created a backdoor that allowed hackers to access the affected systems and perpetrate the largest security incident in history.
NIST guidance on software supply chain security
Under the new NIST guidance, software producers who sell to federal agencies will likely be asked to provide a conformance statement attesting that their software development processes contain Secure Software Development Framework practices. This statement should include a description of which product(s) the statement refers to at the company or product line level, an attestation that the software producer follows appropriate and applicable secure development practices and tasks, and contact information in the form of the name and title of the individual who is the main point of contact. Although not required, a summary of the secure software development activities, which will fall into the four main categories of (1) preparing the organization, (2) protecting software, (3) producing well-secured software, and (4) responding to vulnerabilities, may be provided. To the extent that software producers do not already have these types of conformance statements in place, developing this documentation will be advantageous in negotiations for both government suppliers and suppliers whose activity is limited to the private sector.
Additionally, software procurers should request and review documentation that outlines the security posture of potential suppliers to protect their organizations and understand their own potential vulnerabilities.
Representations and warranties purchasers should secure from software suppliers
Parties involved in software procurement can mitigate risk by securing representations and warranties from developers in their contracts. The NIST guidance advises federal agencies to ensure that developers are representing that their software development is secure throughout the lifecycle of development. The guidance further advises agencies to require developers to attest to secure development processes and procedures from conception to post-release updates. Where appropriate, agencies should ask for disclosure of vulnerabilities and efforts to patch those vulnerabilities. Further, NIST recommends tailoring technical requests to the audience that will review them to take advantage of the expertise and skill of staff. Private businesses can draw lessons from this guidance by carefully drafting and asking for representations and warranties from their counterparts regarding the development process and vulnerability testing. Organizations should plan granular requests for technical development information around the internal capabilities and risk profile of the software at issue.
The guidance also advises agencies to complete risk assessments of suppliers and determine if additional steps are necessary to adequately mitigate security risk. Private industry commonly addresses these issues through the use of third-party assessments, certifications (ISO, PCI-DSS, etc.), and on-site or remote audits. Organizations should consider the risk profile of the software and determine what level of assessment is necessary.
Cyber liability insurance
Although not included in the NIST guidance itself, both procurers and suppliers should consider obtaining cyber liability insurance, or reviewing current coverage, and examining it for sufficiency in the face of the new and increasing cyber threats that entities encounter. Some general liability policies exclude cyber events while cyber-specific policies often have lower coverage limits. Compounding these issues, cyber liability insurance policies often contain exclusions for “acts of war,” but this exclusion has been challenged in court. In the wake of the 2017 NotPetya malware attack, Merck, a global biopharmaceutical company, won a $1.4 billion lawsuit against its cyber insurer, who initially denied “acts of war” coverage. A cyber liability insurance policy is an important risk mitigation mechanism. Existing policies should be carefully reviewed for any references to exclusions, particularly any exclusion referring to acts of war or cyber events. For policies containing such exclusions, reviewing previous policy versions to see modifications of language from previous terms is important.
Cyber events can be crippling and costly even when your entity is “only” collateral damage to an international conflict. Entities in all sectors must appreciate the recent examples of vulnerabilities in the software supply chain and take measures to safeguard their operations.
Client Alert 2022-083
