In May 2021, the President of the United States signed the Executive Order on Improving the Nation’s Cybersecurity. Developed in the wake of the SolarWinds Orion software supply chain breach, the Executive Order (EO) directs several US Federal Government agencies to better coordinate in preventing, detecting, responding to and mitigating security incidents and breaches.
Section 4 of the EO, Enhancing Software Supply Chain Security, introduces several new third-party risk management requirements for Federal agencies to implement. Specifically, the EO seeks to improve the software supply chain through specific guidelines that can be used to evaluate software security, including criteria to evaluate the security practices of the developers and suppliers themselves, and identifying tools and methods to demonstrate compliance with these secure practices.
Prevalent automates the critical tasks required to identify, assess, analyze, remediate, and continuously monitor third-party security, privacy, operational, compliance and procurement-related risks across every stage of the vendor lifecycle.
Identify which suppliers are considered critical, and focus assessment efforts on those that present the most inherent risk to operations
Regularly assess the secure software development lifecycle practices of key third parties that contribute code or updates to final builds
Continuously monitor the dark web, hacker chatter and other related forums for activity related to third parties
Triage and remediate assessment and monitoring findings
Centralize documentation and reporting for auditors
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Meeting Requirements of the Executive Order on Improving the Nation's Cybersecurity
Here’s how Prevalent can help assess third-party suppliers per the Executive Order:
EO Requirements | How We Help |
---|---|
4 (e) (i) (A)-(F) Such guidance shall include standards, procedures, or criteria regarding: |
When assessing third-party software security practices, take advantage of existing industry-accepted standardized risk assessment questionnaire templates including the Standard Information Gathering (SIG), NIST, CMMC, and related assessments built into the Prevalent TPRM Platform. Utilizing a single standardized assessment across your supplier base ensures that agencies can more efficiently compare the software security practices of their suppliers. Note: Agencies can also take advantage of the Prevalent Vendor Risk Networks, which contain completed security risk assessments to accelerate the risk identification process. |
4 (e) (ii) (ii) generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i) of this section; |
When assessing a third party’s secure software development practices, leverage Prevalent’s capability to centralize supporting evidence in the Platform with built-in task and acceptance management, plus mandatory upload features. A secure document repository ensures that relevant parties can review documentation and artifacts accordingly. |
4 (e) (iii) (iii) employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code; |
See 4 (e) (i) (A)-(F) above. |
4 (e) (iv) (iv) employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release; |
Third parties must scan, triage and remediate vulnerabilities in their software and code, and attest to it. But threats don’t end there. Security teams should also monitor the Internet and dark web for cyber threats, leaked credentials, or other indicators of compromise that can open pathways into Federal systems if left undetected. Prevalent Vendor Threat Monitor combines feeds directly into the Prevalent Platform to ensure organizations have a complete view of risks – whether revealed during a periodic assessment or through continuous monitoring. |
4 (e) (v) (v) providing, when requested by a purchaser, artifacts of the execution of the tools and processes described in subsection (e)(iii) and (iv) of this section, and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated; |
The Prevalent TPRM Platform reveals risk trends, status, remediations, and exceptions to common behavior for individual suppliers or groups with embedded machine learning insights. This enables teams to quickly identify outliers across assessments, tasks, risks, etc. that could warrant further investigation. |
4 (e) (vi) (vi) maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis; |
Prevalent automatically maps information gathered from internal audits to standards or regulatory frameworks applicable in this EO – including NIST, CMMC and others – to quickly visualize and address important control deficiencies and attest to practices. |
4 (e) (vii) (vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website; |
See 4 (e) (i) (A)-(F) above. |
4 (e) (viii) (viii) participating in a vulnerability disclosure program that includes a reporting and disclosure process; |
See 4 (e) (i) (A)-(F) above. |
4 (e) (ix) (ix) attesting to conformity with secure software development practices; and |
See 4 (e) (ii) above. |
4 (e) (x) (x) ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product. |
See 4 (e) (vi) above. |
Discover how to effectively manage third-party cybersecurity incidents with our guide, outlining best practices and actions...
NIST has authored several industry standards that deal with identifying, assessing and managing supply chain risk...
The US Federal Government will require all information and operational technology suppliers to meet specific criteria...