EO Outlines Actions to Strengthen Software Supply Chain Security across Federal Government

Client Alert

Citing the rise of cyber campaigns from China and other adversaries against the federal government, private sector and critical infrastructure, the White House published a new Executive Order to strengthen the nation’s cybersecurity defenses that focuses heavily on software supply chain visibility.

At a High Level

The EO seeks to increase accountability for software and cloud service providers through greater transparency and security, bolster cybersecurity overall, secure federal communications, combat cybercrime, and promote the use of AI for cybersecurity.

Why It Matters

Importantly for Exiger customers, the EO emphasizes the necessity for enterprise-level solutions, like those that Exiger provides, that leverage the scalability of AI to boost cyber and software supply chain risk identification and mitigation efforts. The EO also calls for heightened accountability on the part of government contractors selling technology or technology-based services into the federal government.

Who It Impacts

The EO focuses on government agencies, the Defense Industrial Base, and critical infrastructure. In addition to government organizations, it implicates private contractors.

Keep in Mind

While the EO lays out important and useful steps to advance the Federal Government’s cyber security and cyber supply chain risk management practices, these steps would need to be supported by the incoming administration in order for them to come to full fruition.

What Exiger Is Already Doing

Exiger’s AI-powered, FedRAMP authorized solutions satisfy the requirements outlined in the EO.
Our Ion Channel solution is used by government agencies and contractors to manage open-source software risk and guide priorities for vulnerability identification, security assessments and patching.
Exiger provides transparency and risk analysis into IT, OT, and IoT software, firmware, and hardware components, including legacy equipment for which there is no source code.
Exiger provides detailed insights into open-source components, including their pedigree, licensing, and associated risks, ensuring comprehensive management.
Exiger produces Software Bill of Materials (SBOMs) and machine-readable Vulnerability Disclosure reports (VDRs) to help agencies identify and monitor vulnerabilities in third-party software.
The EO emphasizes identifying risks like single committers, FOCI signals (developers associated with sanctioned entities), end-of-life components, and anomalies in the chain of custody. Exiger’s Ion Channel platform already analyzes these leading indicators, helping mitigate risks before they escalate.
The EO calls for continuous monitoring and validation of attestations. Exiger’s solutions not only continuously monitor SBOMs and open-source software for vulnerabilities and leading risk indicators but also provide a complete third-party risk management suite that automates periodic refreshes, collecting and validating attestations, and many other workflows as a part of managing third-parties in your software ecosystem.

Stay Tuned

Exiger will be tracking any related developments as they emerge. Contact your Exiger Client Success Manager for more info about our C-SCRM solutions.

A Deeper Dive

Want the details? Our team has outlined relevant insights and EO recommendations below.

EO on Strengthening and Promoting Innovation in the Nation’s Cybersecurity

Securing Third-Party Software Supply Chains

The EO acknowledges the central role software providers play in supporting the federal government and the nation’s critical infrastructure but points out that software visibility and vulnerabilities remain a persistent threat. The EO calls for the adoption of more rigorous third-party risk management practices and assurances around software providers. The EO directs the following actions:

Recommend and implement changes to the FAR Council contract language requiring software providers to submit to CISA, including:
- Machine-readable secure software development attestations
- High-level artifacts to validate those attestations
- A list of the providers’ FCEB agency software customers
Evaluate emerging methods of generating, receiving, and verifying machine-readable software development attestations and artifacts.
Develop a program to verify attestations and that will be posted publicly. (The National Cyber Director is encouraged to refer attestations that fail validation to the Attorney General for action as appropriate.)

Recognizing that secure software development practices no longer provide sufficient protection against cyberattacks, the EO asserts that software providers must be able to address how software is delivered and attest to the security of the software itself. The EO directs the following actions:

Establish a consortium with private industry at the National Cybersecurity Center of Excellence to develop guidance that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800-218 SSDF.
Update NIST Special Publication 800-53 to provide guidance on how to securely and reliably deploy patches and updates.
Implement recommended changes to SSDF and make any revisions to CISA’s common form for Secure Software Development Attestation.

Despite improving cyber defenses, adversarial supply chain attacks, focused on products and services used by the federal government, persist. To combat this, the EO calls on agencies to integrate cybersecurity supply chain risk management programs into their larger enterprise-wide risk management activities. The EO directs the following action:

Require agencies to comply with the guidance in NIST Special Publication 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Revision 1)).

Recognizing cost and innovation benefits, the EO calls on agencies to better manage their use of open-source software. The EO directs the following action:

Provide recommendations to agencies on the use of security assessments and patching of open-source software and best practices.

Improving Federal System Cybersecurity

The EO calls on the federal government to adopt proven security practices from private industry to improve risk visibility across government systems and networks and directs investment to prioritize innovative technologies. The EO directs the following actions:

Strengthen CISA’s capability to hunt for and identify threats.
Develop the technical capability to gain timely access to required data from FCEB agency endpoint detection and response (EDR) solutions and from FCEB agency security operation centers to enable timely hunting and identification of threats and vulnerabilities; identification of cyber campaigns; and coordination of efforts on information security policies and practices.
Enable CISA to gain timely access to required data to achieve these capabilities.
Develop FedRAMP policies and practices to incentivize or require FedRAMP cloud service providers to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems.
Review the civil space contract requirements in the FAR and recommend updates to civil space cybersecurity requirements and relevant contract language.

Improve Security by Deploying AI

Recognizing the enormous potential of AI to scale threat detection, the EO calls on the federal government to accelerate the deployment of AI. The EO directs the following actions:

Implement a pilot program with private sector participants on the use of AI to enhance cyber defense of critical infrastructure in the energy sector, exploring vulnerability detection, automatic patch management, and the identification and categorization of anomalous and malicious activity.
Establish a program to use advanced AI models for cyber defense.
Prioritize funding for programs that encourage the development of large-scale, labeled datasets to make progress on cyber defense research, and ensure existing datasets are accessible to broader academic research community.
Prioritize research on human-AI interaction methods to assist defensive cyber analysis; security of AI coding assistance; methods for designing secure AI systems; and methods for prevention, response, remediation, and recovery of cyber incidents involving AI systems.
Incorporate management of AI software vulnerabilities into agencies’ processes and interagency coordination mechanisms for vulnerability management, including incident tracking, response, and reporting, and by sharing indicators of compromise.

Revising Agency Policies to Prioritize Network Visibility and Security

Infrastructure and networks that support agencies’ critical missions must be modernized; this requires alignment of investment, priorities and policy. The EO directs the following actions:

Revision to OMB Circular A-130, to address critical risks and adapt modern practices and architectures across federal IT systems.
Establish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance that OMB, NIST, and CISA publish and manage regarding cybersecurity.
Evaluate common cybersecurity practices and security control outcomes that are commonly used or recommended across industry sectors, international standards bodies, and other risk management programs, and based on that evaluation issue guidance identifying minimum cybersecurity practices.
Review and implement recommendations for the FAR Council to amend the FAR to require government contractors follow applicable minimum cybersecurity practices identified in NIST’s guidance.
Adopt requirements for agencies to, by January 4, 2027, require vendors to the federal government of consumer Internet-of-Things products to carry United States Cyber Trust Mark labeling for those products.

Policy recommendations to secure federal communications, combat cybercrime, and amend EO 13694 to combat malicious cyber activities are also addressed in the EO.