In September, the White House Office of Management and Budget  (OMB) gave federal agencies a year to collect software attestations and artifacts like SBOMs from government software vendors to verify compliance to secure development practices.

Fortress’s new Chief Review Officer Nick Nilan spoke to Defense and Aerospace Report’s Vago Muradian on the weekly Cyber Report Podcast to discuss OMB’s SBOM decision and other timely topics regarding supply chain cybersecurity. 

A Needed Move

“What we’re seeing is definitely a move toward a trust-but-verify model, away from attestation, which will hopefully give a better risk model for everything that our federal agencies buy,” Nilan said. 

The new CRO told Muradian that Fortress has advocated for regulations like this for a long time, and believes these changes are great first steps toward changing how the federal government assesses cyber risk in everything it buys. 

He went on to say that he would like to see these requirements further institutionalized as part of the Federal Acquisition Regulation (FAR) so that they’re implemented as a necessary part of the acquisition cycle — including “the use of SBOMs and HBOMs, but also a continuous monitoring of the risk in federal agencies’ entire supply chain beyond first level suppliers,” Nilan added.

Paying For The Change

“I think the funding is going to be commensurate with the problem, and the problem is large,” Nilan said. “We have hundreds of thousands of vendors in the defense industrial base alone and we expand that once we get to the federal base of vendors. Then if we get out in the critical infrastructure, it gets even larger.”

Nilan told listeners that OMB’s decision is an ideal opportunity to develop public-private partnerships to share the load. He said he expects the federal government will be prepared to pay more for better security, but vendors who want to continue to do business with the largest buyer of services in the world also need to be willing to invest in ensuring their products meet those requirements. 

“We both need to be invested in improving the cybersecurity of our supply chain,” Nilan said. “That public-private partnership is going to continue to expand over the next several years.”

Addressing The Challenge

Nilan concluded the conversation with a candid discussion about the growing cyber supply chain threat. He told Muradian there is “no hiding the fact that the world is becoming a more dangerous place.” He pointed to recent reports of the United States being targeted by bad actors around the world, but believed now is not the time for companies and government entities to lose faith.

“I would suggest that anybody looking at this problem should not shy away from it because of the challenge,” Nilan encouraged. “Meet that challenge by prioritizing the problems, identifying your most critical assets that absolutely need an SBOM or HBOM, and working with a trusted vendor to help you meet the regulations.”

Gain An Upper Hand On Your Cybersecurity Battles

Today’s flattened supply chain provides economic and technology benefits, but it can also result in a disconcerting lack of visibility as agencies and programs seek to protect data, intellectual property, and systems to maintain national security. The result is an increased vulnerability to intrusions, hacks, and more sophisticated cyberattacks — putting information, operations, critical infrastructure, and the organization’s mission at risk.

Be proactive by knowing where you and your supply chain are vulnerable to disruption and attack. At Fortress, our job is to protect defense vehicles and frigates long before the shooting ever starts. Click here to learn more.