Federal agencies need to adjust their cyber threat scanning protocols to ensure they are getting a full-scope analysis of possible risk factors within their networks, and are not just scratching the surface on risks, officials from the State Department said on August 11 at an event organized by Federal News Network.
The State Department was among many private and public sector organizations to discover their exposure to the Log4j cyber vulnerability last year. That discovery was a wake-up call to adjust risk scanning practices, said Donna Bennett, the State Department’s chief information security officer.
“As we were going through, we started finding that Log4j was embedded in every single aspect of every application that resides on the network,” Bennett said.
“You have your regular scanner that scans the network, but you also have to have your application scanner that goes into the code itself,” she said. “It taught us that you have to look a lot deeper as we start to build out the supply chain risk management program within the State Department.”
Beyond code scanning tools, another way to get a better handle on what vulnerabilities could be lurking deep within an agency’s software is to request that contractors and vendors disclose the components of their products before contracts are signed. That’s where software bills of material – or SBOMs – come in.
The State Department is considering developing evaluation factors in its IT solicitations that would require contractors to provide SBOMs so the agency can do license analysis, a vulnerability analysis, and get more visibility into all of the different components that are included in software.
“We’re asking contractors to share that with us, and if a company has a good track record of managing those vulnerabilities, that might be something that we take into consideration – it could be a distinguishing factor and who gets an award and who doesn’t,” said Mike Derrios, the State Department’s chief procurement executive.
“We’re looking at requiring contractors to start offering a greater degree of transparency into their supply chains during the procurement process itself,” he said.
President Biden highlighted SBOMs in his May 2021 cybersecurity executive order as one specific way to give agencies more insight into the provenance of their software.
The cyber EO also tasks the National Telecommunications and Information Administration and the National Institute of Standards and Technology with creating new guidelines for SBOMs and other aspects of software supply chain security.
SBOM isn’t a silver bullet, but it is one more way Federal agencies can improve insight into their cyber posture. Among other measures, the State Department has already started to build a catalogue of known exploited vulnerabilities so that it can match them against products known to be using exploitable software, the agency officials said.