back to article US government extends software security deadline because vendors aren't ready

The Biden Administration has extended the deadline for federal agencies to submit documentation proving that the software they use was developed with appropriate security practices, because the form for reporting on such matters isn't complete. Since coming into office in 2021, the Administration has focused on cybersecurity …

  1. An_Old_Dog Silver badge

    Missing the Basics

    NIST publication "SP 800-218, Secure Software Development Framework" (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf) has a lot of bureaucratic-buzzword-speak, but also has some good things. For example, "Task PO.2.3 Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development-related roles and responsibilities."

    Speaking for myself, a portion of that commitment (if it is true commitment and not just lip service) must include the needed time, people, and equipment to do the job properly. If the managers choose not to commit to secure development, the devs or lower-level managers can't force them to do so. Are the devs or lower-level managers then to be blamed for "failing" to execute task PO.2.3?

    As long as companies and their managers allow artificial deadlines to be imposed without consideration of the resources needed to do the job properly, security bugs will be introduced and/or not fixed.

    That's particularly true when the artificial deadline is imposed by the government, with penalties for failure to ship on time. Of course the company will ship something by the deadline, and if security bugs are found in that product, the company will say, "Oh, gee, we're sorry."

    1. Doctor Syntax Silver badge

      Re: Missing the Basics

      A slight rewording should improve that by placing the responsibility where it belongs:

      "Task PO.2.3 Upper management or authorizing official commit to secure development, and convey that commitment to all with development-related roles and responsibilities."

  2. amanfromMars 1 Silver badge

    What could possibly go wrong/awry and take off in an unknown novel direction

    So Uncle Sam is thinking software developers marking their own homework is an acceptable solution?

    Hmmm .... Now there’s a novelty and massive vulnerability for export and exploitation and future development in systems penetrations testing programs.

    One would almost imagine as perfectly true, the fact that governments and their many executive satellite offices [eg National Institute of Standards and Technology's (NIST)/Office of Management and Budget (OMB)/US Cybersecurity and Infrastructure Security Agency (CISA)] have zero command and control on what is to be, and what is yet to be developed and delivered by A.N.Others.

    And that applies to all governments worldwide and their many executive satellite offices, for all are equally deficient in having the necessary wherewithall to prevent intrusive interventions and deeply disturbing investigations into future likely scenarios to be defended and obscured by any proposed regulation of revealing technological advances/quantum leaps.

  3. EnviableOne

    regulations also should address open-source software

    JK right

    all open-source licences confer no warranty that it is fit for the intended purpose.

    if you are going to use an open-source tool, you need to ensure its security before you use it in your product, and if its broke, do the hobbyist a favour fix it and submit it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like