In May of 2021, President Biden issued an unprecedented Executive Order on Improving the Nation’s Cybersecurity as a blueprint for federal agencies and private sector partners to improve their cybersecurity posture. Following high-profile incidents like the SolarStorm supply chain attack, the order prioritized critical areas for securely modernizing federal IT infrastructure.
Among other directives, the Executive Order requires government agencies to purchase only software that meets secure development standards to protect government data. To support the Executive Order, the National Institute of Standards and Technology (NIST) issued guidance in February of 2022 to provide federal agencies with best practices for enhancing the security of the software supply chain. Two sets of guidance were released by NIST: the Secure Software Development Framework (SSDF) and the companion Software Supply Chain Security Guidance.
The Executive Order directs the U.S. Office of Management and Budget (OMB) to take appropriate steps to require that agencies comply with the NIST guidelines within 30 days. This means that federal agencies must begin adopting the SSDF and related guidance immediately while customizing it to the agency’s risk profile and mission. Vendors who supply software to the U.S. government will soon also have to attest to meeting these guidelines.
In developing the guidelines, NIST gathered extensive input from technology professionals and other federal agencies through the solicitation of papers and virtual workshops, including input from Palo Alto Networks. Let’s look at some of the components of the NIST guidelines:
At Palo Alto Networks, the security of our customers and the integrity of our solutions are our highest priorities. We are committed to a rigorous and secure Zero Trust development environment for ourselves and our customers. In addition to state-of-the-art tools and techniques to detect any inadvertent vulnerabilities in code, these measures include:
Additionally, we undertake a number of internal processes to ensure the integrity of our own products, which include software and firmware signing, secure updates, signature verification and additional oversight. We institute restrictions on who scopes and defines source code changes, reviewing new source code with a hierarchy of oversight and ensuring a “chain of custody” throughout development, testing and quality assurance processes. Our approach standardizes the software development, deployment, delivery and operation pipeline to ensure there are sufficient and necessary security controls in all phases.
Altogether, this is unified security for DevOps and security teams.
Our mission at Palo Alto Networks is to be the cybersecurity partner of choice, protecting today’s digital way of life. We support the Executive Order on Improving the Nation’s Cybersecurity and the subsequent guidance from NIST. In fact, NIST published a case study highlighting Palo Alto Networks end-to-end supply chain risk management practices in 2020. We look forward to working with our federal partners to meet these coming attestation requirements and continuing to serve as a trusted ally to help secure development standards. Contact the Palo Alto Networks federal team for additional information.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.