Cybersecurity Executive Order: How to Comply with Software Supply Chain Requirements

Get Started
On Wednesday, May 12, the Biden administration released a long-anticipated executive order designed to help strengthen America’s cybersecurity. One of the executive order’s most important sections deals with bolstering software supply chain security, which has been in the spotlight following a series of devastating supply chain attacks (such as the SolarWinds hack).
 
The executive order outlines several elements of supply chain security where organizations will face new and heightened regulations. These include threat detection, code provenance checks, the inventory of third-party components, and more. 

The U.S. government is expected to publish more specific standards governing each of these elements in the coming months, but the executive order offers enough information to help organizations get an early start on compliance.

How to Prepare for Compliance

Software Bill of Materials

  • Executive Order Text
    Vendors should provide “a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.”
  • Tools to Support Compliance
    Software composition analysis solutions (which inventory open source software components). Formats like SPDX, SWID Tags, and Cyclone DX can help communicate SBOM data.

Vulnerability Detection and Remediation

  • Executive Order Text
    Vendors should employ “automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.”
  • Tools to Support Compliance
    A combination of software composition analysis (which helps identify and remediate vulnerabilities in open source code) and proprietary code testing tools such as SAST, DAST, IAST, and RAST

Code Provenance

  • Executive Order Text
    Vendors should “[ensure and attest], to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.”
  • Strategies to Support Compliance
    Don’t assume a package is trusted just because it’s used in other software products. Build in quality gates before every update

Vulnerability Disclosure Program

  • Executive Order Text
    Vendors should participate “in a vulnerability disclosure program that includes a reporting and disclosure process.”
  • Tools to Support Compliance
    Software composition analysis solutions identify and report on vulnerabilities in open source components, so they’ll be a go-to option for disclosing security issues in third-party code. Similarly, proprietary code testing tools will help organizations meet disclosure requirements for closed-source components.

Get a Head Start on Compliance

Sign up for a free consultation with one of our SCA experts, which includes an overview of how FOSSA can help your organization address new standards and requirements.