The President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028)” issued on May 12, 2021, charges multiple agencies – including NIST– with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
Section 4 of the EO directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines are to include:
The EO calls for NIST to consult with the National Security Agency (NSA), Office of Management and Budget (OMB), Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI) and then to define “critical software” by June 26, 2021.
NIST is to publish guidance outlining security measures for critical software by July 11, 2021, after consulting with CISA and OMB.
Also by July 11, 2021, after consulting with the NSA, NIST will publish guidelines recommending minimum standards for vendors’ testing of their software source code.
By November 8, 2021, NIST is to publish preliminary guidelines, based on stakeholder input and existing documents for enhancing software supply chain security.
By February 6, 2022, after consulting heads of various agencies, NIST will issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.
By May 8, 2022, NIST will publish additional guidelines, including procedures for periodically reviewing and updating guidelines.
The EO also directs NIST to initiate two labeling programs related to the Internet of Things (IoT) and software to inform consumers about the security of their products. Those efforts have initial deadlines of February 6, 2022. Like its other assignments in the EO, NIST will rely heavily on stakeholder ideas and information in carrying out these tasks.