Acute global information technology (IT) security attacks are driving significant changes in government and commercial IT procurement. The resulting regulations and laws have an increasing impact on the federal contracting and critical infrastructure industries, requiring an investment in policy, risk-based cybersecurity management, standard operating procedure generation, additional tooling, personnel, and enterprise-wide training.
As a result, the government, investing community, and the insurance industry expect corporate cybersecurity risk management to be fully incorporated into business and mission risk plans at all levels. From a regulatory and legal perspective, the days of IT being a purely support function operating in the background are at an end.
Facing increasing threats to vulnerable supply chains
Foreign adversaries have weaponized software supply chains to gain access to IT systems for information gathering, monetary and intellectual property theft and extortion, strategic and tactical advantage, and general disruption to normal functionality of governments and companies. Added to the weaknesses inherited in large supply chains, organizations are at a substantially increased risk of major disruption and loss compared to the past.
The largest criminal intrusion to date is the SolarWinds Attack of 2020, in which Russia used the software supply chain to introduce vulnerabilities into an open-source dependency of SolarWinds software. These vulnerabilities were exploited to gain access to government and business systems with the intent of gathering intelligence. The remediation of the SolarWinds attack cost the government and industry more than $100 billion to date and is ongoing.
Absorbing the government response
To stem the tide of high-profile attacks, governments around the world are creating new regulations and laws that stipulate minimum cybersecurity compliance and reporting standards. For U.S. contractors, new regulations dictating responsibilities when developing, selecting, or reselling software are the result of the May 2021 Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. EO 14028 requires all companies involved in critical infrastructure or selling software or services to the federal government to establish policies, procedures, practices, and incident reporting in-line with National Institute of Standards and Technology (NIST) Cybersecurity Supply Chain Risk Management (C-SCRM) and Secure Software Development Framework (SSDF). The government stipulated that these requirements cover all code for both the civilian and defense sides of the executive branch. This includes vetting all sources used to create code. The U.S. government will be consolidating the Cyber Supply Chain Security requirements under a new FAR Part (40). Until then, the Office of Management and Budget (OMB) has released interim guidance requiring agencies to procure software that is designed and managed under Secure Software Development Practices and attested to by the corporations that produced them.
In addition to the new federal contracting requirements, software developers must consider additional regulations, laws, and policies at the federal, state, and local government levels; commercial client requirements; foreign IT requirements; insurance coverage mandates and limitations; and civil liability.
New liabilities impacting industries we support
The federal government and the insurance industry are now holding companies liable for the processes used to build and purchase software, requiring them to attest to the company’s coherence to secure development policies and procedures. Organizations will need to continuously vet the processes they use to build or acquire software. Companies not currently following these practices will require considerable investment of time and money to achieve the new minimum requirements. The cost of fully implementing a Secure Software Development Life Cycle (SSDLC) complete with secure development/build environments, universal multi-factor authentication, least privilege authorization, artifact creation and retention, and associated legal costs to support attestation are not trivial.
Since implementation of these security controls is a prerequisite to obtaining future contracts, associated costs are not directly recoverable and need to be incorporated as overhead for the organization. Many small vendors and smaller projects in larger organizations will not have the resources to cover the initial setup and ongoing maintenance and training costs now associated with software development and procurement. These additional costs and reduced volume of work due to the incorporation and automation of cloud offerings are projected to have a negative impact on smaller contractors, thus reducing the number of qualified small businesses over the next decade.
In addition to the reduction of smaller contractors in the market, these regulatory changes will accelerate the adoption of No/Low Code Software as a Service (SaaS) cloud-based services that already incorporate the security controls under Federal Risk and Authorization Management Program (FedRAMP). Additionally, the government is looking to migrate legacy applications to Platform as a Service (PaaS) services, which are developed and maintained using Zero Trust principals, reducing the number of systems and code the government must secure on its own.
A Culling of Competition in the Market
Cybersecurity is now a first-tier requirement for Tetra Tech’s clients and their parent organizations. This is a key focus of Tetra Tech’s cybersecurity offering, which includes governance, risk, and compliance, and cyber program development and operation as well as Zero Trust architectures and secure software supply chains. This rapidly changing posture will have ramifications vertically and horizontally across organizations.
The next few years will require difficult and costly transformations for companies not already familiar with secure application development and management to remain in the market. In response to the regulatory and legal changes, software and service companies have already started making updates to existing services and deprecating old functionality that is not compliant. Legacy applications that rely on outdated functionality will need to be updated to meet the new cybersecurity and mandated Zero Trust environment, opening the door for companies that can train, staff, and implement policies and procedures compliant with the new requirements.
About the author
Tim Blum
Tim Blum is an IT consultant at Tetra Tech focusing on geospatial technologies, business intelligence, and project management.