US government agencies given a new deadline to secure critical software
A recent memo from the US Office of Management and Budget gives agencies 60 days to identify and 12 months to secure their critical software. This explicitly includes web applications deployed on-premises or in the cloud, as many of these provide access to critical data or systems. Time is short, so novel solutions are needed to keep agency systems compliant and secure.
Your Information will be kept private.
Your Information will be kept private.
On August 10, 2021, the US Office of Management and Budget (OMB) released a memorandum in response to President Biden’s Executive Order (EO) 14028, Improving the Nation’s Cybersecurity. Published back in May, the order recognizes the importance of software security to protect against malicious cyberattacks that threaten the American people’s security and privacy. See our earlier blog post for an analysis of the EO and its significance for web application security.
Identify and protect critical software
The August memo provides instructions that agencies must implement in phases as part of an effort to meet the goals of the order. The clock is ticking: agencies now have 60 days to identify 12 types of critical software that they are using on-premises or are in the process of acquiring for on-premise use.
Once agencies identify those software installations, the OMB is giving them 12 months to implement the latest software protections in line with measures defined by the National Institute of Standards and Technology (NIST). On July 8, 2021, NIST issued Security Measures for “EO-Critical Software” Use as a guide to rapidly identify, document, and mitigate known vulnerabilities. Recommended measures include patching, updating, or upgrading software to a supported version to continuously reduce exposure time.
Secure critical web applications
Scanning and testing web applications is nothing new, but many vulnerability management processes have become antiquated, leading to long software release cycles. As demonstrated by recent ransomware hacks and breaches, agencies are left vulnerable when cybersecurity best practices are ignored in an effort to expedite the release of applications. The most common tools to address application vulnerability management are outlined under NIST 800.53 SA-11 guidelines, and these specifically call for the use of dynamic application security testing (DAST) and interactive application security testing (IAST) platforms.
Modern DAST & IAST platforms can optimize software release cycles and security compliance for both on-premise and cloud-based web applications by:
- Leveraging auto-discovery mechanisms to ensure that all assets are identified, scanned, and protected.
- Automatically validating vulnerabilities through proof-based verification technologies.
- Integrating into the software development lifecycle (SDLC) for remediation of vulnerabilities within existing workflows and improved collaboration between AppSec and DevOps teams.
Modern solutions for timely results
The federal government’s ability to perform its critical functions depends on the security of its software. It is therefore imperative that agencies utilize modern web application security tools to protect against today’s sophisticated malicious cybercampaigns. Invicti’s DAST & IAST solutions can help agencies continually diagnose and mitigate security for all web applications, as recommended by NIST 800.53 SA-11 and mandated by the OMB memo.
When supported by best-of-breed web application security testing solutions, agencies will be able to meet the new regulatory requirements and ensure the security of public information and critical infrastructure without compromises.