The presidential decree, Improving the nation’s cybersecurity, charted a new course for national cybersecurity. And, we have begun implementing one of the most important elements of the Executive Order. As of yesterday, every company that sells software to the government must have a rigorous software security program in place. The requirement covers traditional off-the-shelf on-premises software, software delivered as a service, and all included open-source software components.
We know Americans are concerned about cybersecurity – we’ve seen the cost of ransomware attacks to businesses of all sizes and the disruption they’ve caused to critical services in countries around the world. And we know that a fundamental part of building cyber resilience is strengthening security throughout a product’s lifecycle, from initial design to deployment. We buy a car with pre-installed seat belts and airbags. We should be able to buy software with built-in security. With the implementation of this component of the executive order, the federal government is leveraging its purchasing power to improve the security of the software we all use, including the software we install in some of the most critical infrastructure in our country.
We thank NIST and our industry partners for their collaboration in developing the Secure Software Development Framework (SSDF) that NIST released last month. The SSDF contains a set of practices that create the foundation for secure software development, which every company that sells software to the government must now follow. We also thank the OMB for working with the private sector over the next 60 days to provide guidance on how companies will certify SSDF compliance when selling software to the US government.