In response to high-profile cyberattacks, the U.S. government will soon release software security standards impacting every federal contractor, supplier and agency. How will your organization prepare?
Within days, the White House is expected to release its highly anticipated executive order on cybersecurity, an overdue development that will have a tremendous impact on the entire ecosystem of agencies, software vendors and service providers. First announced in an April 19 statement by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, the order will set new cybersecurity guidelines for government software vendors with a mandate to create a set of software security standards.
Software development vendors, the federal agencies that procure apps for use, and the federal agencies that allow individuals to bring their own apps via Bring-Your-Own-Device (BYOD) programs must prepare to secure and protect all mobile, web and desktop applications from vulnerabilities like those exploited in the recent SolarWinds, Accellion and Microsoft Exchange Server attacks. The order is also designed to address attacks on critical infrastructure such as the recent Colonial Pipeline breach, a ransomware attack that shut down 5,500 miles of refined gasoline and jet fuel in the Eastern United States.
Mobile cyberattacks are clearly on the rise. NowSecure has tracked hundreds of mobile app breaches in the past few years impacting millions of users including Apple iOS Mail, Facebook, Samsung, Slack, Twitter, Under Armour, Walgreens and more. Learn more about the MITRE Mobile ATT&CK Surface here.
By establishing cyber requirements across agencies, the White House hopes to avoid the kinds of cyberattacks that impact thousands of agencies/companies and millions of citizens. The executive order is expected to mandate security standards for software sold to or used by any federal government agency. According to Reuters, these new cybersecurity guidelines may call for the formation of a cybersecurity oversight board similar to the National Transportation and Safety Board (NTSB).
The initiative is also expected to include plans for more systematic federal investigation of cyber events across the country. In many cases companies fail to publicly disclose cyberattacks for fear of damage to their brand reputations, shareholder value or being hit with regulatory fines. With the coming order, companies may be required to report cyber breach details quickly to drive awareness and faster response. In exchange, the federal government can provide incident response and remediation resources. The executive order is expected to mandate security standards for software sold to or used by any federal government agency.
The call for national cybersecurity standards on software and hardware provided to the federal government is a long -overdue game changer in U.S. cybersecurity. Through the massive scale of the federal contracting process, these standards would eventually be adopted across the private sector.
The executive order is expected to mandate security standards for software sold to or used by any federal government agency.
The expected order may require that all companies — manufacturers, service providers, communications providers and more — who do business with the federal government improve their cybersecurity posture, not just software developers themselves. Ultimately all businesses who work with federal agencies should be aware and prepare for the new standards and regulations.
The order’s impact could be significant, with trillions of procurement dollars at stake. When the European Union’s General Data Protection Regulation (GDPR) went into effect in 2016, it was focused on EU citizens, but global companies found that to sell into the EU they had to comply, effectively making it a global standard. The power of GDPR lies in financial enforcement. Last year GDPR fines rose 40% totaling $191.5 million and over the years have included mobile app breaches as was the case with British Airways.
NowSecure has been working with developer and security communities for more than a decade to help define mobile application security standards and craft testing programs/software such as OWASP, NIAP and ioXt. OWASP is often considered the most widely recognized security standards organization in the security community. NowSecure has worked with the OWASP Mobile Security Project from the initial OWASP Mobile Top 10 to the more recent OWASP MASVS and MSTG. (Learn more in our Manager’s Guide to the OWASP Mobile Security Project reference.)
The U.S. Department of Defense and other federal agencies must ensure their mobile apps comply with the National Information Assurance Partnership (NIAP) security requirements. NIAP validates the security of commercial hardware and software used in national security systems. NowSecure built the first NIAP standard certification for mobile apps.
NowSecure has also been at the forefront of driving IoT-connected mobile app security standards working with the ioXt Alliance. In partnership with technology vendors such as Amazon, Google, IBM, McAfee, SonicWALL and IoT manufacturers such as Crestron, Honeywell, Leviton, Motorola and Schneider Electric, NowSecure is an Authorized ioXt Certification Lab, helping create the standard and delivering the first automated certification solution for IoT-connected mobile apps.
NowSecure partners with mobile software developers to ensure the security of their mobile apps meet the standards of commercial and federal agencies alike. The company works with thousands of mobile app developers and numerous federal agencies such as the U.S. Department of Defense, Department of Homeland Security, Department of Justice and the U.S. Marshals Service to secure their mobile DevSecOps pipelines and monitor their third-party mobile app supply chains. We look forward to working with the regulators, federal agencies and software developers alike to bring practical, effective standards for mobile app security to benefit all.