In recent years the demands of US Federal agencies have driven forward cybersecurity best practice in many areas of ITAM. For example:
All of these developments represent opportunities for ITAM teams to get involved in securing their organizations against cyber-attacks. Importantly, the requirements imposed upon software publishers and developers mean that every software consumer will benefit from these changes.
Essentially, Executive Order 14028 (issued in May 2021) requires software publishers and developers to attest to the fact that they employ secure software development practices, as defined by NIST, in order for their software to be deployable by a US Federal agency. However, this only applies to new software and new major versions of existing software deployed since the EO was issued last year, so for now this limits the scope and operational impact.
ITAM teams have been tracking application lifecycle information, such as release age, for many years. Commercial regulatory and compliance standards such as PCI-DSS require this, often mandating that deployed software must be currently supported and be no older than one major version of the current release (often referred to as version N-1).
The cut-off point for attesting conformity effectively mandates that federal agencies maintain a full software and hardware inventory – hardware is also in scope, because software in this case includes the firmware controlling hardware devices, such as the BIOS. The EO mandates that this full inventory must be in place by the end of 2022. This inventory must go beyond the application layer, and also cover the components of individual applications in the form of a Software Bill of Materials (SBOM). Whilst this is of greatest importance to users of open-source software it also affects proprietary software, due to its widespread use of open source libraries.
The purpose of an SBOM is to provide an “ingredients list” of the components making up a software application. Recently, software vulnerabilities have come to light in widely-used open source libraries such as log4j which have put organizations at risk. A conventional software inventory tool may only discover the application name and provide no insight into the libraries and components which make up that application. That’s what SBOM attempts to address. As ITAM teams we should expect tools to begin adding SBOM generation capabilities as this requirement becomes more widespread. Whilst your security teams might already have tools which can generate and maintain SBOMs this requirement still provides an opportunity for building closer ties with them.
Executive Order 14028 provides ITAM teams with new opportunities to engage with key stakeholders in order to improve cybersecurity for all – as any software provider wishing to sell software to US Federal agencies will have to tighten up their development standards. The approaches used, such as Zero Trust will result in software that’s more modular and less likely to introduce vulnerabilities into your estate. The need for comprehensive and continuous inventory puts weight behind what we as ITAM teams have known for years – IT Governance starts with trustworthy data.