White House Wants Industry Input on New Software Security Rules

The White House is planning an executive order that will demand more of the government’s software suppliers, but there won’t be any binding requirements for at least six months, an official working on the order said.

“I think you're looking at six months to a year depending upon the criticality of the software before you'll see anything binding. So there will be an opportunity to adjust to anything that's out there,” said Jeff Greene, acting senior director for cybersecurity at the National Security Council.

Greene spoke during a Wednesday event hosted by the Cybersecurity Coalition—and industry group of information technology, telecommunications and cybersecurity companies. Before joining the NSC last month, he was vice president of global government affairs and policy at Symantec and was director of the National Institute of Standards and Technology’s Cybersecurity Center of Excellence, which partners with the private sector.

The executive order is not meant to address every cybersecurity issue but will be a response to recent widespread hacks and, as a result, focus especially on software, Greene said.

“We're going to need all developers who are selling software to the government to implement more rigorous and predictable mechanisms to ensure that their products and their software behave, both as intended and as designed,” he said. “We're at the point where the federal government simply can't bear the risk of buying insecure software anymore.” 

Standards for those mechanisms will likely come from NIST, which Greene said is good at engaging with the private sector.. But he said a Federal Acquisition Regulation rulemaking will happen concurrently, and will provide a formal avenue for industry to shape the rule.

“What we envision, and again nothing is final yet, but it's parallel processes,” he said. “We have confidence that NIST will be able to kick off the process pretty quickly and get an initial report out, you know, six months or so, on what they think. And we'll follow up after that. But we want to start the rulemaking process at the same time, because we want to make it clear that this requirement—the requirement being the U.S. government isn't going to buy software that isn't built following certain processes—that is coming.”

Greene also added that actions the cybersecurity community might want included in an upcoming infrastructure package may come through the executive order or other avenues.

“Just because you're not seeing that necessarily mentioned in column A doesn't mean that we're not working on it pretty aggressively in column B,” Greene said in response to a question about the administration’s infrastructure plan. “So again it's not fully out there yet but we are actively working that issue with a program that we hope to roll out pretty soon, to try to hit things we think can make the biggest impact, the quickest.” He noted that the executive order is “not a short document.”