Biden Administration deploys Executive Order seeking to protect software supply chains

The last-minute effort from the outgoing administration includes new requirements for software vendors that supply the federal government.

The last-minute cybersecurity executive order from the outgoing Biden administration, signed by President Joe Biden Thursday, includes several new requirements for software vendors that supply the federal government.

While existing efforts from the White House have sought to improve software security in connection with government procurement—such as Biden’s cybersecurity-focused Executive Order 14028 from 2021—the requirements in the new executive order go further, according to Wei Chen, chief legal officer at cybersecurity vendor Infoblox.

The order is “putting additional muscle behind the things that have already been proven and identified as best practice,” Chen, who had seen a draft version of the order, said in an interview.

The new requirements for software providers that do business with the federal government are aimed at bolstering the security of software supply chains and reducing vulnerabilities that could impact federal agencies.

The requirements include needing to provide “machine-readable secure software development attestations” as well as “high-level artifacts to validate those attestations” and “a list of the providers’ Federal Civilian Executive Branch (FCEB) agency software customers,” according to the Biden administration’s post about the new executive order.

The order requires the director of the Office of Management and Budget (OMB) to recommend new contract language—which will require software vendors to submit the attestations and other required items—within 30 days to the Federal Acquisition Regulatory Council (FAR Council).

Software providers will be required to submit the attestations, artifacts and customer lists to the Cybersecurity and Infrastructure Security Agency (CISA), according to the White House post about the order.

White House executive orders can be ignored by the next administration, and the order comes days before President Donald Trump is set to be inaugurated on Jan. 20.

However, Chen told CRN she is optimistic that the order will still end up having an impact.

“I don't see anything that is not bipartisan [in the order],” she said. “And cybersecurity is a bipartisan issue.”

In addition to boosting software security, the executive order includes a number of additional measures related to protecting the federal government—such as requiring the use of phishing-resistant authentication within federal agencies and obligating agencies to enable encrypted DNS protocols within 180 days.

Nation-State attacks continue

The backdrop to the order is that “adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People’s Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks,” the White House post on the order said.

“More must be done to improve the Nation’s cybersecurity against these threats,” the post said.

A series of state-sponsored attacks in recent years have impacted the U.S. government, among the widely felt SolarWinds Orion software supply chain compromise of 2020.

More recently, at least nine U.S. telecommunications providers were impacted in last year’s attacks by the China-linked espionage group tracked as Salt Typhoon—through which some federal officials saw their communications compromised, according to U.S. officials.