The National Institute of Standards and Technology (NIST) will host a virtual workshop on June 2 and 3, 2021 to enhance the security of the software supply chain and to fulfill the President’s Executive Order on Improving the Cybersecurity of the Federal Government, issued on May 12, 2021.
Among other things, Section 4 of that Executive Order (EO) directs the Secretary of Commerce, through NIST, to consult with federal agencies, the private sector, academia, and other stakeholders in identifying standards, tools, best practices, and other guidelines to enhance software supply chain security. Those standards and guidelines will be used by other agencies to govern the federal government’s procurement of software. The EO includes additional assignments to NIST which will be addressed in other forums, although discussions at this workshop will inform those actions by NIST. This workshop focuses on assignments in Section 4 of the EO.
The goals of the workshop are to:
- share NIST’s plans to develop software-related standards and guidelines called for by the Executive order, and
- receive and discuss information and ideas about the approach and content that NIST should consider in developing those standards and guidelines.
The agenda for the two-day workshop, which will take place from 1-5 pm EDT on each day, will be based on submissions to NIST by the private, public, and non-profit sectors in the form of two-page position papers. These papers from organizations and individuals will be reviewed for their diversity of ideas in order to ensure that NIST considers a wide range of approaches for achieving the goal of the EO and that the standards and guidelines identified are practical and effective. NIST seeks to build on existing approaches and capabilities to avoid duplication and to speed implementation of needed security steps while also encouraging creative thinking and new approaches. All suggestions in position papers must be consistent with and within the scope of the assignments specified by the EO. Topics and speakers selected for the workshop will be based largely on these position papers. NIST expects speakers to participate in panel discussions.
Timelines in the EO are very tight, as are the deadlines for contributing position papers for this workshop. All submissions must be received by NIST no later than May 26, 2021.
NIST seeks position statements in five areas.
- Criteria for designating “critical software.” Functional criteria should include, but not be limited to, level of privilege or access required to function, integration, dependencies, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised. See EO Section 4(g).
- Initial list of secure software development lifecycle standards, best practices, and other guidelines acceptable for the development of software for purchase by the federal government. This list of standards shall include criteria and required information for attestation of conformity by developers and suppliers. See EO Section 4(e)(i, ii, ix, and x).
- Guidelines outlining security measures that shall be applied to the federal government’s use of critical software, including but not limited to, least privilege, network segmentation, and proper configuration. See E.O. Section 4(I).
- Initial minimum requirements for testing software source code including defining types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing), their recommended uses, best practices, and setting realistic expectations for security benefits. See EO Sections 4(e)(iv and v) and 4(r).
- Guidelines for software integrity chains and provenance. See EO Sections 4(e)(ii, vi, and viii).
Position papers should specify which of the five areas is being addressed and be a maximum of two pages in length. Supplemental material may be provided but selections of position papers to be presented at the workshop will be based on the brief papers. Submissions will be accepted from those who do not wish to be considered as speakers. For those who wish to be considered as speakers at the workshop, submissions should include the individual’s names, titles, and contact information. NIST will make available online all statements which are within the scope of this request but reserves the right to withhold publication of material deemed inappropriate, including strictly promotional information.