IRS acting CIO: Securing software supply chain remains a challenge for agencies

Finding the right balance between encouraging innovation within development teams and securing the software supply chain remains a challenge for federal agencies, according to the acting chief information officer of the IRS.

Speaking Tuesday at the CrowdStrike Government Summit, Jeff King said government departments including the Department of Treasury — where King was deputy CIO until recently — are making progress in tightening supply chain security but that the scale of software libraries continues to pose a challenge.

“We don’t want to inhibit that innovation and creativity, especially in our development teams … ‘let’s try this new library to build out this software and make it more efficient or just do better things,’ but tracing that lineage of the library … is really hard to do at scale but very much something we have to look into,” King said.

King’s comments follow the publication last month of the Biden administration’s national cybersecurity strategy, which reignited a debate over the need for minimum security standards and encouraged software companies to address flaws in their products. 

That updated strategy calls for critical infrastructure owners and operators to meet minimum security standards, to expose software companies to liability for flaws in their products, and for the U.S. to use all elements of its national power to prevent cyberattacks before they happen — an indication that the Biden administration intends to continue U.S. Cyber Command’s so-called “defend forward” strategy of seeking out malicious hackers on foreign networks. 

The software sector was one of six critical industries identified in President Biden’s executive order on America’s Supply Chains, which was issued in February 2021 and gave seven Cabinet agencies a year to conduct risk assessments.