The White House Office of Management and Budget released new guidelines last week for how federal agencies and government contractors will comply with development and security processes approved by the government.

Fortress, along with many others in the cyber ecosystem, has been calling for tougher government standards for both software and hardware as a means to reduce vulnerabilities that can be exploited by threat actors and safeguard critical infrastructure.

We are seeing more and more incidents within both government and industry that reveal just how vulnerable our most vital systems are because of the software they use: SolarWinds … Log4j … the Colonial Pipeline. There are also increasing concerns with hardware vulnerabilities and the use of computer chips made by countries outside the U.S.

“I applaud the White House today in setting those standards and pushing them out because what it’s going to do for all of us is supply a consistent set of standards that can be used across many different industries,” said Fortress Chief Operating Officer Betsy Soehren-Jones. “The consistency piece is very important.”

Typically, within critical infrastructure, you don’t have just a single type of business. When you have different guidelines for specific industries, it’s almost impossible to implement, particularly when those different industries can exist within a single utilities company.

“Getting a consistent set of guidelines only helps us work with our manufacturing community to make sure those standards are built into the product, not just bolted on,” said Soehren-Jones.

The OMB memo is a necessary starting point. Everything we do in cyber defense is an iterative process, and we can’t wait until we have the perfect set of guidelines in place to start safeguarding our most sensitive data and systems.

“The question is going to become what is the maintenance cycle for all of these standards. How do we take the learning from the events that are inevitably going to happen over the several years and start to iterate on top of these standards,” said Soehren-Jones. “Getting this first version out was critically important.”

Fortress has long been a proponent of using software and hardware bills of material (SBOM/HBOM) to help identify and document previously unknown vulnerabilities and mitigate those gaps through patching or adding extra protections where necessary. What we’ve learned is that the vendor community is reluctant to share detailed information about their products because they anticipate the onus will be entirely on them to fix everything in an industry where flaws are inevitable. But that is the uniqueness of this situation, says Soehren-Jones.

“It’s not lost on the purchasers or users of these different pieces of software that there may be flaws and that they’re going to have to deal with those flaws,” she said. “But understanding where they are gives them a better roadmap of what they need to do in their own environments.”

That’s the knowledge SBOMs and HBOMs provide and why they are so vital to prioritizing and implementing better cyber defenses … across critical infrastructure and all industries.