NIST and CUI: Aligning with Government Software Supply Chain Mandates

What are the Mandates in the Government Software Supply Chain?

If you want to be or stay part of the federal software supply chain, the rules of engagement have changed drastically over the past few years. Executive Order 14028 lists multiple requirements for developers of “critical software”, including maintaining a software bill of materials (SBOM) and attesting to secure development practices.  It also establishes a timeline for requirements and recommendations in regard to employing data encryption, auditing internal and external risks, using automation tools to identify and remediate vulnerabilities, and many other steps to take.

Once you have completed an internal and external assessment of your risks, it’s time to harden baselines, secure endpoints and lock down your enterprise. If there is no way to breach your system, there is no way to go through you to attack your customers. The government offers a good deal of guidance regarding these requirements.

If you handle CUI, you must comply.

Controlled Unclassified Information, or CUI, is government created or owned unclassified information that they routinely share in the course of business.  That data needs to be safeguarded according to laws and policies. This includes health records, tax holder data and other data necessary to protect citizens’ and the government’s interests.

Many government contractors—even those who operate in an unclassified way with government agencies—handle or maintain some of this information in their systems. Those contractors need to comply with NIST SP 800-171. NIST 800-171 lists a series of 110 procedures and controls that must be implemented if you house, process or transmit CUI.

The sooner you implement NIST 800-171, the better for business. Implementation can be simple or complex, depending on the complexity of your operating environment and systems.

Additional requirements for the software development process.

EO 14028 also makes it necessary for developers to produce and maintain a Software Bill of Materials (SBOM). The SBOM is an inventory of all the software components used, including open-source software. This helps evaluate known vulnerabilities and risks in a product so it can be properly secured in the system.

In addition to the SBOM, developers need to attest to using secure development practices on software created or updated after September 2022 using the Secure Software Development Common Attestation Form. Practices include developing in a secure environment, maintaining trusted source code supply chains, maintaining provenance of third-party code, and employing automated tools to check for vulnerabilities.

Protecting government data with CMMC.

While CMMC is meant to protect government data and not a direct mandate for the entirety of the software supply chain, Cybersecurity Maturity Model Certification (CMMC) is another initiative that will help strengthen overall security within the supply chain.

Those who handle CUI also need CMMC. This step requires NIST 800-171 compliance and also requires self or third-party certification. This can take up to 2 years, depending on the level of CMMC certification to be met. Each level has progressively greater requirements:

Level 1: This is for organizations that only deal with Federal Contract Information (FCI). The requirement covers 17 practices and you can self-assess your results.

Level 2: This level is for contractors handling CUI, which will be the bulk of government contractors. The requirement covers the 110 practices from 800-171 and tri-annual third-party assessments.

Level 3: This level is for contractors working with CUI on our nation’s most sensitive contracts, such as developing advanced weapons and vehicles. The requirement here includes 800-171 controls, plus others and requires tri-annual, government-led assessments.

There is a deadline for CMMC certification. It is expected to start showing up in RFPs near the end of 2024. The government’s goal is to have it implemented across the defense industrial base by October 2025. The sooner one complies, however, the better. As SteelCloud COO Brian Hajost says, “Compliance puts a halo around your proposal” and moves it to the top of the stack.

Automation is a necessary part of your requirements.

As mentioned above, the EO also calls out the need to use automation solutions in the development process, as well as in the organizational operating environment. The process of identifying and fixing vulnerabilities can take weeks or months to complete. And you want to maintain that secure baseline through updates, new installations, and new processes. This requires constant vigilance so your secure environment doesn’t drift into vulnerable territory. An initial secure baseline can take weeks or months to achieve using manual processes. It only takes about an hour using automation.

Many will want to exceed requirements and adhere to Security Technical Implementation Guide (STIG) or Center for Internet Security (CIS) standards. Both incorporate 800-171 controls, but go way beyond to create iron-clad security across every endpoint in your system. As a result, automation tools made for STIG and CIS compliance can also help with 800-171 and CMMC. And as long as we are talking about the difference of just minutes to achieve compliance through any of those means, becoming STIG or CIS compliant will put an even bigger halo around your organization for little added effort once policies are established.

Show your customers you mean business.

Government agencies want to know you have secure practices. They need to know you are protecting their data. And they want you to do it efficiently, both to contain costs and to ensure an always-compliant environment. SteelCloud’s ConfigOS is the #1 tool used in the DoD and other sensitive agencies to secure their systems to STIG standards. Proven and perfected over years of government use, this patented solution will get that halo on your head faster.

SteelCloud is a leader in cybersecurity and all things NIST, STIG, CIS, CUI and CMMC. Download our CMMC for Dummies and CMMC Compliance: What the NIST? eBooks for more information about these requirements. And if you’re ready to get your CMMC party started, contact us for demo.