In the realm of cloud security, public sector agencies have a lot on their plates. From keeping up with the barrage of constantly emerging security guidelines (see below) to the ongoing demands of maintaining software security, the pressure on the government to lock down cybersecurity is immense. Over the last couple of years, Federal Risk and Authorization Management Program (FedRAMP) certifications have emerged as a ubiquitous cybersecurity standard in the public sector – and it’s clear why.
As agencies move more IT functions to the cloud, FedRAMP enables cloud service providers to meet specific security requirements, such as those embedded in the Federal Information Security Management Act and the National Institute of Standards and Technology publications, allowing agencies to outsource with the confidence that their cloud provider partners are meeting those requirements.
Amid the recent cyberattacks – notably SolarWinds and Log4j – government agencies must double down on efforts to secure their software supply chains and implement zero trust. This is especially true given the results of Veracode’s annual report on the State of Software Security (SOSS), which showed that the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors.
Veracode’s research found that compared to other industries, the public sector has the highest proportion of applications with security flaws, at 82 percent. When it comes to how quickly organizations fix flaws once detected, the public sector posts the slowest times on average — roughly two times slower than other sectors. The research also revealed that 60 percent of flaws in third-party libraries in the public sector remain unfixed after two years, which is double that of other sectors and lags the cross-industry average by more than 15 months. Finally, with only a 22 percent fix rate overall, the public sector is challenged to keep software supply chain attacks from impacting critical government applications.
We Are FedRAMP
This research points to the benefits that a Software as a Service (SaaS) application-level security platform would provide to government agencies by reducing the risk of security breaches through comprehensive analysis, developer enablement, and AppSec governance. It’s also why Veracode is proud to announce that we have officially received FedRAMP authority to operate (ATO) by the Securities and Exchange Commission (SEC) at the FedRAMP Moderate level for that exact platform.
The Veracode Platform is the only solution to provide visibility into application status across all testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing / Automated Pen Testing-As-A -Service, in one centralized view. And soon this platform will be generally available to agencies across the government with the FedRAMP authorization, ensuring data protection and application-level security in cloud environments.
FedRAMP is the new normal in public-sector cybersecurity standards. The best way to ensure mission success, while delivering best-in-class customer experience and maintaining compliance, is to leverage a complete platform solution that has FedRAMP approval. The time is now (more so yesterday) for government agencies to secure their software supply chains and implement zero trust. Veracode can help.
The federal government has leaped into action to establish a more secure posture with a flurry of executive orders, memoranda, and legislation to help guide this process. Below is a timeline of recent initiatives set forth by the administration.
- May 12, 2021, Executive Order 14028, Improving the Nation’s Cybersecurity: This EO works towards modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the US government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. It also encourages private sector companies to follow this lead and take measures to augment and align cybersecurity investments with the goal of minimizing future incidents.
- December 13, 2021, Executive Order 14058, Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government: This EO directs that government leaders account for the experiences of the public in seeking government services, putting people at the center of everything the government does. Although the specific focus of this EO is on ‘customer experience,’ it does mention security as being essential to a good experience. As such, government agencies should refer to the cybersecurity EO for additional guidance.
- January 19, 2022, Presidential Memorandum: This memo builds on the Biden Administration’s work to protect our Nation from sophisticated malicious cyber activity. It requires that, at a minimum, National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in the EO on Improving the Nation’s Cybersecurity.
- January 24, 2022, Pentagon Memorandum: This memo surrounds software development and open-source software. It focuses on how using externally maintained code in critical systems potentially creates a path for adversaries to introduce malicious code into Department of Defense (DoD) systems and how imprudent sharing of code developed for DoD systems potentially benefits adversaries by disclosing key innovations.
- January 26, 2022, Office of Management and Budget (OMB) Memorandum: This memo sets forth a federal zero trust architecture strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of 2024’s fiscal year. It works to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns that target federal technology infrastructure, threaten public safety and privacy, damage the American economy, and weaken trust in government.
- February 4, 2022, NIST Secure Software Development Framework (SSDF) Version 1.1 and Software Supply Chain Security Guidance Under EO 14028 Section 4e: The SSDF is a core set of high-level secure software development practices that can be integrated into each software development lifecycle implementation. Following this framework can help software producers reduce vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. NIST also published guidance identifying practices that enhance the security of the software supply chain as part of its assignment from EO 14028. It defines guidelines for federal agency staff who have software procurement-related responsibilities, helping them to know what information to request from software producers regarding their secure software development practices.
- March 7, 2022, OMB Statement: OMB was directed from the May 12 EO to “take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of this order.” These ‘guidelines’ refer to the NIST SSDF. OMB directed federal agencies to adopt the SSDF and related guidance effective immediately, noting that it should be tailored to an agency’s risk profile and mission.
- Ongoing Legislation: S.3600 Strengthening American Cybersecurity Act of 2022: This bill, passed by the Senate on 3/2/22, addresses cybersecurity threats against critical infrastructure and the federal government. The bill requires reporting and other actions to address cybersecurity incidents and provides statutory authority for FedRAMP within the General Services Administration.
- Ongoing Legislation: HR6497 Federal Information Security Modernization Act of 2022: This bill, introduced in the House on 1/25/22, addresses federal information security management, notification and remediation of cybersecurity incidents, and the roles of OMB and the Cybersecurity and Infrastructure Security Agency. It establishes specified pilot programs to enhance federal cybersecurity.
- Ongoing Legislation: S.3099 Federal Secure Cloud Improvement and Jobs Act of 2021: This bill, introduced in the Senate on 10/28/21, aids federal agencies in the quick and secure adoption of cloud-based technologies to improve government operations and efficiency. It also makes FedRAMP more accountable to the American people.