According to new guidance released by the White House this week, US federal agencies have just three months to create a full inventory of their software in order to comply with a new governmental practice on cybersecurity.
The world has gone digital, and our daily life, economic vitality, and national security all depend on a safe and resilient cyberspace. And among the most important areas for protection are the federal agencies that handle an abundance of sensitive information – from health care to energy infrastructure. According to Cybersecurity Ventures, by 2025, cybercrime is estimated to cost $10.5 trillion globally, increasing by 15 percent year over year. IT security has never been more important.
An executive order by President Biden to support our nation’s cybersecurity in May of 2021 outlined the growing threat of cybercrime to the nation and required the National Institute of Standards and Technology (NIST) to publish guidance on how agencies can better protect valuable government systems through more secure software.
Here’s a recap of that recently published government guidance, its timeline, and what you need to do to be compliant under the new rules:
- US agencies must now have an inventory of all software usage (excluding any software they’ve produced themselves). They are now banned from using any software that does not comply with the NIST guidelines.
- The software vendors will need to send agencies a “self-attestation” letter about the products’ security features, recent changes, and more. The vendors must also attest to following “secure development practices.”
- Agencies have 90 days to create an inventory of all software usage
- Agencies have 120 days to build out a process for communicating the new requirements to software vendors
- CIOs have 180 days to train employees to validate what the software companies claim in their letters. Any extensions to the timelines need to be applied for within 30 days of the deadline.
- Agencies have 270 days to collect letters from vendors about “critical” software. Agencies will need to have letters from vendors about all software — critical and otherwise — by next September.
Why software matters for cybersecurity
Significant breaches like the infamous SolarWinds hack in 2020, Colonial Pipeline, and the Microsoft Exchange attack have had huge impacts on both federal agencies and corporations over the last years. Many feel this kind of requirement is long overdue.
“Awareness of your inventory is a key aspect of security,” says Avinash Kotikalapudi, a Senior Director who leads the IT Security and GRC services at Anglepoint in the areas of information security, risk management, and privacy.
“As the old saying goes, ‘you can’t secure what you don’t know you have.’ By requiring agencies to keep track of their software and only use those that have been proactively vetted as secure, they can prevent a huge amount of unnecessary risk.”
It may even mark a longer-term shift in the market with software providers offering security assurance to their customers. Today, it’s enough for software just to work well. In the future, it may need to be secure to sell.
Greg Free, a Senior Manager at Anglepoint and expert in security, says “this mandate underscores the necessity of having a mature ITAM program that is using automation tools. This type of transparency and speed is not possible with an excel sheet."
The biggest challenge, he predicts, is the tight timeline within the guidance. Luckily, Anglepoint can help you with that.
Where do I start?
If you work in IT, you will know that all this is much easier said than done. With the increase in cloud-based options on the market, software is a tricky beast to track accurately, and many organizations have no clear picture of what they own.
Phillippe de Raet, Vice President of Public Sector at Anglepoint, is ready to rise to what he sees as an essential task for agencies.
“With cyberattacks increasing every year, the need to secure our IT assets is more critical than ever,” he says. “Right now, our government is dangerously vulnerable to threats that impact directly on services to citizens.”
“But there’s no need for government agencies to face this challenge alone,” he says.
“As a software asset management (SAM) leader for three years in a row, Anglepoint specializes in ensuring that your agency is accurately collecting inventory of software, facilitating attestations from software vendors, and providing training plans for validation. Our expert services are tailored for the public sector and can help you meet NIST’s requirements in a timely manner. At Anglepoint we remain committed to supporting the government in its mission to drive cost optimization, mitigate risk and achieve standards of operational excellence within agencies’ hardware and software estates.”