< Back to Blog
What the Cybersecurity Executive Order Means for Software Supply Chain Security
Security Best Practices & Advice

What the Cybersecurity Executive Order Means for Software Supply Chain Security

By Demi Ben-Ari Jun 03, 20213 min read

Here’s what to expect and what you can do.

Recently, President Biden signed the much-anticipated Executive Order (EO) on cybersecurity, which declared that the “prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” The EO is clearly intended to address the issues that resulted in recent major cyber incidents such as SolarWinds, Microsoft Exchange and the Colonial Pipeline. 

One important aspect of the EO is its focus on improving software supply chain security, which is a welcome and necessary step in the right direction. Here’s just some of what the new EO calls for, and what you can expect as a result:

Baseline security standards

The EO places responsibility on the director of NIST to determine and publish guidelines and best practices for enhancing software supply chain security. Federal agencies—as well as the private companies they do business with—will be required to adopt these standards to ensure software supply chain security. Eventually, we can expect that the Office of Management and Budget will enforce these standards to ensure that agencies comply.   

Enhanced information sharing

The EO addresses barriers to information sharing before and after cyber incidents by requiring IT providers that sell to the government to promptly report breaches and cyber threat information. Doing so allows the federal government to prevent breaches, respond when they occur and share broadly to protect Americans. We can expect that language for contracting with IT and OT service providers will be updated accordingly to ensure that any barriers to sharing such information are removed.

Consumer labeling program

The EO calls for an Energy StarTM-like labeling program indicating that supply chain software and IoT devices were developed securely. The idea is to create a distinguishable mark of quality and confidence for software that the government and public can recognize at a glance. At the same time, it’s expected that this move will reward more secure companies with better recognition in the marketplace. 

Steps for prevention and preparation 

One way to possibly foresee a breach caused by third-party software is to look for degrading security posture of third-party software providers over time, which can be a tell-tale clue that something is amiss.

It’s also important to take steps to prepare your organization for a possible third-party breach, which will help with response, remediation and recovery. Such steps should include mapping vendors, identifying important assets and reducing third- and fourth-party security risk. 

This can be accomplished by automating, accelerating and scaling customers’ third-party security evaluation and management process. Doing so enables easy collaboration and communication between companies and suppliers, resulting in efficient and effective risk remediation in alignment with a company’s security policies and risk appetite.

Want to learn more about how to prepare for and respond to a supply chain breach? Download our Third-Party Incident Response Playbook.

humbnail
Demi Ben-Ari

Demi Ben-Ari is CTO and Co-Founder of Panorays. He’s a software engineer, entrepreneur and international tech speaker, and takes #CyberSelfies like nobody else can.

You may also like...
Top 4 Cybersecurity Predictions for 2022
Nov 23, 2021 Top 4 Cybersecurity Predictions for 2022 Aviva Spotts
3 Quick Tips to Implement a TPSRM Process
Nov 15, 2021 3 Quick Tips to Implement a TPSRM Process Aviva Spotts
Why Cyber Risk is Financial Risk
Nov 03, 2021 Why Cyber Risk is Financial Risk Aviva Spotts
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe