Sound Off: What's in OMB's Latest Cybersecurity Guidance?Grant Schneider Sounds Off on OMB Deliverable for Secure Software
"Sound Off" is a new video series that explores one topical question, in depth, with information security and privacy leaders.
The U.S. Office of Management and Budget recently released its latest deliverable as part of President Joe Biden's cybersecurity executive order, on "Enhancing the Security of Federally Procured Software." In this week's "Sound Off," former federal CISO Grant Schneider discusses the implications of this guidance and shares best practices for how agencies and organizations can improve the security of their software supply chain.
The OMB's statement is a continuation of last May's cybersecurity executive order that requires the government to only purchase software that is developed securely. It tasks the National Institute of Standards and Technology to "issue guidance identifying practices that enhance the security of the software supply chain," which it published on Feb. 4, 2022.
Schneider says that in addition to directing agencies to implement the NIST guidance, the OMB statement seeks industry feedback. "Service providers and third-party providers will need to attest to the fact that they're meeting the NIST guidance and that they are producing secure software," he says.
In a video interview with Information Security Media Group, Schneider discusses:
- The latest OMB announcement and its implications for federal agencies;
- The challenges ahead for agencies and realistic expectations for progress this year;
- Best practices for implementing NIST's Secure Software Development Framework.
Prior to Venable, Schneider served as the U.S. deputy federal CISO and the U.S. federal CISO and as senior director for cybersecurity policy on the White House National Security Council. Before that, he served for seven years as chief information officer for the Defense Intelligence Agency.
Don't miss our previous installments of "Sound Off," including the Feb. 21 edition with attorney Lisa Sotto, who conducts a post-mortem on the Colonial Pipeline ransomware attack, and the Feb. 25 edition with former CISO of PNC Bank David Pollino, who considers how banks can prepare for the Russia-Ukraine crisis.