Pinpointing critical software key to supply chain security, says Federal Acquisition Service leader

The federal IT community must prioritize the identification of critical software components within product suites as it works to address supply chain risk, according to the Federal Acquisition Service commissioner.

Speaking Tuesday at ACT-IAC’s Imagine Nation ELC, Sonny Hashmi called for work to pinpoint code with national security implications to begin, even as certain critical software definitions continue to evolve.

He said: “[I]t’s important for us to start to think about what parts of our product suites — many of the products that your companies build and make available — are considered critical software. 

“That definition is not always clear, although NIST has done an incredible amount of work to start defining what critical software looks like, but we have to be very thoughtful about what that critical software is. It’s the equivalent of the critical infrastructure that we rely on in our society.”

The procurement leader added: “This software is embedded at the network level; it has elevated access. We rely on that software to keep us secure and keep us operating. We need to make sure that we start with that sub-set of software first. Make sure that we put all the right eyes on that and then scale it to other categories of software.”

Hashmi’s comments come as GSA, NIST and CISA lead work across federal government to provide clearer cyber supply chain guidance to vendors.

Following new cybersecurity guidelines issued last month by the Biden administration, CISA is working with the Office of Management and Budget to create a “common form” that U.S. departments will use to show that software vendors have attested the technology they are selling to the government meets NIST security guidelines.

Under that new guidance from OMB, federal departments must ensure that all third-party IT software deployed adheres to NIST supply chain security requirements and get proof of conformance from vendors.

Following the cybersecurity executive order, issued by the White House in May 2021, NIST published an initial, wide-ranging definition of critical software.