Commerce Proposes Third Party Audits as Criteria in Supply Chain Rule for Software

The commerce secretary should consider whether a trusted third party has assessed the security of connected software applications when reviewing transactions with US entities, according to a new proposal from the department.

Commerce proposed adding “the lack of a complete and reliable third-party audit of connected software applications” to a list of criteria to determine whether imports and other transactions involving information and communications technology are approved, according to a notice published in the Federal Register on Friday.

The proposal is in response to an executive order that President Joe Biden issued in June ordering Commerce to adjust an order by former President Donald Trump that was aimed at limiting the reach of foreign adversaries seeking to acquire confidential data from Americans. While Biden’s order reversed Trump’s bans specifically targeting Tik Tok and WeChat, it kept the core of Trump’s order authorizing the Commerce Secretary to deny transactions deemed threatening to national security under the Emergency Economic Powers Act. International.

Biden’s order also expanded Trump’s order by making “connected software applications” subject to reviews and focusing on third-party audits, a highly debated area of ​​cybersecurity policy, as evidenced by the Software Certification program. Cybersecurity Maturity Model of the Department of Defense.

The proposal Commerce released on Friday also opens the conversation, seeking comment on whether it goes far enough or should be tailored more closely.

“The Department seeks public comment on these criteria, including how the Secretary should apply them to ICTS transactions involving connected software applications, and whether there are additional criteria that the Secretary should consider with respect to connected software applications. ”Says the notice.

Commerce further asks whether certain criteria should be considered even if a foreign adversary is not directly involved.

“Should the Department add criteria such as whether the software has built-in outgoing network calls or references to web servers, regardless of ownership, control, or management of the software?” wrote the department.

The notice also raises questions that would be applicable to other agencies or organizations considering the use of third-party verification for supply chain security. It asks, for example, if it is necessary to define terms like “independently verifiable measures” in the rule, if the audits should be applied only to the connected software applications or also to the implementing organization, if it is understood that the security verification of third parties needs to be a continuous process throughout the life cycle of the application implementation, and if it is understood that the rule, as proposed, applies only to the source code or would also include activities such as monitoring logs .

Supply chain threats to information and communications technology have received increased attention this year due to cyberattacks by suspected state actors.

TO recent report from the Government Accountability Office on the management of the communications sector of the Infrastructure Security and Cybersecurity Agency, for example, pointed to aggressive activity by China, highlighting the need for employee training on threat detection.

The report recommended that CISA update its own industry security assessment to include emerging risks posed by the information and communications technology supply chain.

CISA agreed and committed to update its plan for the communications sector, last issued in 2015, by September 2022.

Leave a Comment