On May 12, President Biden signed an Executive Order to improve the nation’s cybersecurity and protect federal government networks. Recent cyber attacks involving SolarWinds, Microsoft Exchange and the Colonial Pipeline have again brought to the forefront the very real threat that cybersecurity attacks have on U.S. public and private organizations. It’s clear many organizations are not doing enough to protect themselves and those they serve.
As you might have read, the Executive Order “makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”
“With the executive order from President Biden, securing the software supply chain is top of mind for every executive,” said Tim Johnson, director of product marketing at CloudBees. “Public and private organizations understand they must secure the supply chain, and throughout the software delivery lifecycle, in alignment with the new NIST standards.”
At first blush, this may seem like it only applies to the U.S. Government and those companies that supply software directly to them. However, since the supply chain is so interconnected, these orders will eventually (and probably quicker than imagined) apply directly to most any company worldwide that releases software. The U.S. Government will push their suppliers to comply and those suppliers will in turn push their suppliers all the way upstream to the original repository owner/contributor.
While we were discussing this internally yesterday, someone here at CloudBees raised the question of “How will companies have to change their processes in order to comply with these Executive Orders?” A quick reply came in the form of ”If anyone has to change how they’re delivering software in order to comply, they probably weren’t doing it right in the first place.” In other words, these organization's don’t have an audit, compliance or security problem, they have a software delivery problem. Making the code, the process, and the people more secure actually makes delivering software faster, cheaper and more effective.
A great place to start looking at how to improve your process is with our blog, Three Overlooked Steps to Securing A Software Supply Chain. It shares three areas where we’ve seen IT leaders overlook the potential for risk in their software delivery supply chain and makes recommendations for building in trust. They are:
1. Put Process Gates and Controls at Every Step of the Software Supply Chain
2. Don’t Assume Bad Actors are Only Outside Your Organization
3. Think Like an Auditor
CloudBees works with many of the Fortune 100 in highly regulated industries, as well as federal agencies, including the IRS, the United States Air Force and the U.S. Department of Health and Human Services, to ensure their software is secure -- from creation through delivery to production and beyond. By streamlining governance and compliance so that it becomes a force for innovation, these organizations are serving their missions by more rapidly delivering trustworthy software to their teams and customers.
For more information on this topic, join speakers from ManTech International, The Linux Foundation and Accelerated Strategies Group on Securing the Software Supply Chain on May 27.