US Federal cybersecurity requirements raise the importance of ITAM for all

ITAM News & Analysis

US Federal cybersecurity requirements raise the importance of ITAM for all

In recent years the demands of US Federal agencies have driven forward cybersecurity best practice in many areas of ITAM. For example:

• NIST stated the importance of ITAM in their 2018 guidance, providing an explicit link between ITAM and cybersecurity
• Federal agencies played a significant role in the use of software ID (SWID) tags
• Under Executive Order (EO) 14028, US federal agencies have three months left to create a full inventory of their software in order to comply with governmental practice on cybersecurity.

All of these developments represent opportunities for ITAM teams to get involved in securing their organizations against cyber-attacks. Importantly, the requirements imposed upon software publishers and developers mean that every software consumer will benefit from these changes.

What does Executive Order 14028 require?

Essentially, Executive Order 14028 (issued in May 2021) requires software publishers and developers to attest to the fact that they employ secure software development practices, as defined by NIST, in order for their software to be deployable by a US Federal agency. However, this only applies to new software and new major versions of existing software deployed since the EO was issued last year, so for now this limits the scope and operational impact.

ITAM teams have been tracking application lifecycle information, such as release age, for many years. Commercial regulatory and compliance standards such as PCI-DSS require this, often mandating that deployed software must be currently supported and be no older than one major version of the current release (often referred to as version N-1).

Full inventory required by year end 2022

The cut-off point for attesting conformity effectively mandates that federal agencies maintain a full software and hardware inventory – hardware is also in scope, because software in this case includes the firmware controlling hardware devices, such as the BIOS. The EO mandates that this full inventory must be in place by the end of 2022. This inventory must go beyond the application layer, and also cover the components of individual applications in the form of a Software Bill of Materials (SBOM). Whilst this is of greatest importance to users of open-source software it also affects proprietary software, due to its widespread use of open source libraries.

What is an SBOM?

The purpose of an SBOM is to provide an “ingredients list” of the components making up a software application. Recently, software vulnerabilities have come to light in widely-used open source libraries such as log4j which have put organizations at risk.  A conventional software inventory tool may only discover the application name and provide no insight into the libraries and components which make up that application. That’s what SBOM attempts to address. As ITAM teams we should expect tools to begin adding SBOM generation capabilities as this requirement becomes more widespread. Whilst your security teams might already have tools which can generate and maintain SBOMs this requirement still provides an opportunity for building closer ties with them.

Raising the cybersecurity bar for all

Executive Order 14028 provides ITAM teams with new opportunities to engage with key stakeholders in order to improve cybersecurity for all – as any software provider wishing to sell software to US Federal agencies will have to tighten up their development standards. The approaches used, such as Zero Trust will result in software that’s more modular and less likely to introduce vulnerabilities into your estate. The need for comprehensive and continuous inventory puts weight behind what we as ITAM teams have known for years – IT Governance starts with trustworthy data.

Further Information

For more on this topic see our on-demand webinar presented in conjunction with Eracent

Can’t find what you’re looking for?