GAO Reports – Week of 4-13-24 – Federal Cybersecurity EO Actions

This week, the Government Accountability Office (GAO) published a report on “Cybersecurity - Implementation of Executive Order Requirements Is Essential to Address Key Actions”. The report looks at the implementation of EO 14028 in CISA, NIST, and OMB.

The table below shows the GAO’s assessment of EO 14028 leadership and oversight requirements (see Appendix III of the report for description of the individual requirements):

Executive Order Section	Number of requirements that are:
	Fully complete	Partially complete	Not complete	Not applicable
Removing Barriers to Sharing Threat Information	6	1	—	—
Modernizing Federal Government Cybersecurity	8	—	—	—
Enhancing Software Supply Chain Security	16	1	—	—
Establishing a Cyber Safety Review Board	6	1	—	—
Standardizing Playbook for Responding to Cybersecurity Vulnerabilities and Incidents	4	—	—	1
Improving Detection of Cybersecurity Vulnerabilities and Incidents	7	1	—	—
Improving the Federal Government's Investigative and Remediation Capabilities	2	1	—	—
Total	49	5	—	1

The report makes a total of five recommendations (pg 44), two for DHS and three for the OMB:

• The Secretary of Homeland Security should direct the Director of CISA to issue, in a timely manner, its list of software and software product categories that are considered critical software. (Recommendation 1)

• The Secretary of Homeland Security, through the Director of the CISA, should direct the Cyber Safety Review Board to document steps taken or planned to implement the recommendations provided to the President for improving the board’s operations. (Recommendation 2)

• The Director of OMB should demonstrate that the office has conducted, with pertinent federal agencies, cost analyses for the implementation of recommendations related to the sharing of threat information, as defined in the order. (Recommendation 3)

• The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for the implementation of an endpoint detection and response capability, as defined in the order. (Recommendation 4)

• The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for logging, log retention, and log management capabilities, as defined in the order. (Recommendation 5)

OMB Approves Software Supply Chain NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had approved a Department of Commerce (DOC) notice of proposed rulemaking (NPRM) on “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”. This rulemaking is not listed in the Spring 2021 Unified Agenda.

As I noted when this rulemaking was sent to OMB for review, I suspect that this is related to §4 of EO 14028. This will probably appear in the Federal Register within the next week so we will know for sure what it covers then.

DOC Sends Software Supply Chain NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the DOC concerning “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”. This rulemaking was not included in the Spring 2021 Unified Agenda.

While EO 14028, Improving the Nation's Cybersecurity, does not specifically task DOC with a requirement to publish a rule concerning supply chain security, §4 of the EO does provide DOC with a laundry list of software supply chain responsibilities. I suspect that this NPRM is a natural outgrowth of those taskings.

Review - HR 2928 Introduced – Cyber Sense Program

Back in March Rep Latta (R,OH) introduced HR 2928, the Cyber Sense Act of 2021. The bill would require DOE to establish “a voluntary Cyber Sense program to identify and promote cyber-secure products intended for use in the bulk-power system” {§2(a)}. Similar bills have passed in the House in the last three sessions of congress, most recently HR 360 in the 116th.

Moving Forward

On Thursday of this week the House Energy and Commerce Committee held a markup hearing where this bill was considered. The Committee considered HR 2928 without amendments and ordered it favorably reported to the House by a voice vote. The bill will be considered by the full House, likely before the Summer Recess. The bill will be considered under the suspension of the rules process. This means limited debate, no floor amendments and a super majority will be required for passage. The bill will almost certainly pass (yet again) with strong bipartisan support.

Commentary

I would like to propose a value-added feature that should be made part of the Cyber Sense Program, a software bill of materials {SBOM, as defined in §10(j) of EO 14028} requirement for all product. This would help DOE notify other vendors of potential vulnerabilities in their systems due to new vulnerabilities being reported to DOE in other affected products. This will be especially critical while there is a CEII restriction on publication of the vulnerability. To make this happen, we could revise §2(b)(2):

(2) for products and technologies tested under the Cyber Sense program, the Secretary would establish:

(i) a requirement to submit a software bill of materials (SBOM), as that term is defined in §10(j) of EO 14028 for each product or technology submitted for evaluation;

(ii) and maintain cybersecurity vulnerability reporting processes and a related database; and

(iii) provide notification to affected vendors when a vulnerability reported to the Cyber Sense program potentially affects their product, based upon their SBOM listing on file with the program.

For a more detailed analysis of this legislation see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2928-introduced (subscription required).

Review - EO 14028 – NTIA Publishes SBOM Request for Comments

Today, the DOC’s National Telecommunications and Information Administration (NTIA) published a notice in the Federal Register (86 FR 29568-29571) requesting public comments on “Software Bill of Materials Elements and Considerations”. This action is being taken in support of the requirements of EO 14028 for NTIA to “publish minimum elements for an SBOM” {§4(f)}.

Public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #210527-0117). Due to the short response requirements of EO 14028, NTIA is requesting that comments be submitted by June 17^th, 2021.

Commentary

One point that is not discussed here (and admittedly it was not part of the presidential mandate) that needs to be discussed before any SBOM process becomes operational is the information sharing aspect of the SBOM. Let’s face it, and SBOM is going to provide an adversary with a software blueprint that will help guide the development of an attack process. Any discussion of an effective SBOM process is going to have to address how widely the detailed information in an SBOM is shared.

For a more detailed look at the information that NTIA is looking for, see my post at - https://patrickcoyle.substack.com/p/eo-14028-ntia-publishes-sbom-request. Subscription Required

CRS Report on Information Sharing and Disclosure Requirements

This week the Congressional Research Service (CRS) prepared a report for Congress on “Critical Infrastructure Policy: Information Sharing and Disclosure Requirements After the Colonial Pipeline Attack”. The Report looks at the apparent change in information sharing philosophy embodied by the attempt by the Biden Administration to require cybersecurity incident reporting under EO 14028.

The short report (2 pages) does not draw any conclusions, but it does outline the history of voluntary information sharing between privately owned critical infrastructure and the federal government. Anyone that wants to understand the impending debate in Congress on authorizing cybersecurity information reporting mandates needs to understand this history.

Interestingly, this report was prepared before TSA published their Security Directive 01-21 mandating that pipeline operators report cyberattacks on their operations and information systems.