To ensure the security of the software supply chain, the Office of Management and Budget (OMB) has released guidance in the form of Executive Order (EO) 14028. This guidance is aimed at helping organizations implement a secure software development life cycle (SDLC) by leveraging the NIST Secure Software Development Framework. The OMB’s guidance mentions explicitly the need for reviews of identities and access to maintain trusting relationships between organizations and their suppliers. This blog will explore why identity reviews are essential to the security of the software supply chain, and how YouAttest can help organizations automate these reviews.
New Guidance on Software Supply Chain Security
The guidance issued by the OMB requires that organizations take several steps to secure their software development life cycle. One of the most important of these steps is to ensure that everyone involved in the SDLC understands their roles and responsibilities. This includes not only those within the organization but also any external suppliers. To help with this, the OMB recommends that organizations create or update their roles and responsibilities as needed to encompass all aspects of the SDLC. These roles and responsibilities should then be reviewed regularly, and updated as needed, such as when new software development models are implemented.
The OMB memorandum states that companies must meet the guidelines outlined in NIST Special Publication (SP) 800-218 – Secure Software Development Framework (SSDF). This publication calls out the need for identity reviews as part of an overall security strategy. It is clear from reading this publication that meeting the requirements set forth by the OMB is essential for companies looking to do business with the US government. Meeting these requirements includes having a robust software development process that includes identity reviews.
In addition to roles and responsibilities, the OMB also recommends that organizations review their access control procedures. This includes confirming the trust of individual users by attesting to their roles and permissions. Automated access reviews of applications, groups, and users can help with this by providing a consistent and auditable way to review and confirm access. This is important to the security of the software supply chain because it helps to ensure that only authorized users have access to sensitive information and systems. This becomes critically important when dealing with external suppliers, as it helps to ensure that only those with the appropriate permissions can access the organization’s systems and data.
The President’s recent Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure calls for the development of several pilot programs to improve the security of the software supply chain. These pilot programs will be conducted in a manner consistent with OMB Circular A-119 and NIST Special Publication 2000-02 (Conformity Assessment Considerations for Federal Agencies). One of these pilot programs will focus on identity reviews. The goal of this program is to increase the security of federal networks by ensuring that only authorized software is installed on federal systems. This program will also help to protect the privacy of individuals by preventing unauthorized access to sensitive data.
Another pilot program will focus on the security of the software supply chain. The goal of this program is to ensure that software is not compromised before it is installed on federal systems. This program will also help to protect the privacy of individuals by preventing unauthorized access to sensitive data. Both of these pilot programs will help to improve the security of federal networks and protect the privacy of individuals through the use of identity reviews to better secure the software supply chain.
Why Identity Reviews Matter
Identity reviews help to ensure that the correct people have the appropriate level of access to software development resources. This is essential to maintaining the security of the software supply chain, as it helps to prevent unauthorized access and misuse of these resources. By attesting to the roles and permissions of users regularly, organizations can help to ensure that only those with the appropriate level of access can access sensitive information and systems. This is important not only for maintaining the security of the software supply chain but also for ensuring compliance with regulatory requirements such as the OMB’s guidance.
YouAttest and Software Supply Chain Security
YouAttest is a cloud-based identity and access management platform that helps organizations automate identity reviews, with features that include the ability to:
- Review access control procedures
- Attest to the trust of individual users
- Automate the review of roles and permissions
- Automate access reviews of applications, groups, and users
YouAttest can help organizations to automate their identity review process, and help to ensure that the correct people have the appropriate level of access to software development resources. This is essential to maintaining the security of the software supply chain, as it helps to prevent unauthorized access and misuse of these resources. By automating identity reviews, organizations can help to ensure that only those with the appropriate level of access can access sensitive information and systems. This is important not only for maintaining the security of the software supply chain but also for ensuring compliance with regulatory requirements such as the OMB’s guidance.
–
YouAttest is the leading provider of automated access reviews and can help your enterprise stay secure and eliminate orphan accounts. Contact YouAttest today to learn more about how we can help you maintain continuous compliance.
