Biden Tells Microsoft, Other Government Software Suppliers to Boost Cyber Defenses

(Bloomberg) -- Software companies doing business with the US government such as Microsoft Corp. and Cisco Systems Inc. will have to attest that their products comply with new national cybersecurity standards under White House rules published Wednesday.

Most Read from Bloomberg

• Adobe Near Deal for Online Design Startup Figma, Sources Say

• Putin’s Options Narrow After Ukraine Scores Battlefield Rout

• Ethereum Finishes Long-Awaited Energy-Saving ‘Merge’ Upgrade

• Ray Dalio Does the Math: Rates at 4.5% Would Sink Stocks by 20%

• NY Judge Who Doesn’t Tolerate ‘Nonsense’ May Be Named Special Master in Trump Case

The requirements, published in a memo from the Office of Management and Budget, are intended to avoid a repeat of the 2020 SolarWinds hack, in which nine federal agencies were compromised.

The new guidance has been expected since President Joe Biden signed an executive order in May 2021 to improve the nation’s cybersecurity, following a string of damaging hacks including SolarWinds and an attack that shut down the Colonial Pipeline Co. system.

But the OMB rules immediately drew criticism from some cybersecurity experts who regard the requirements as too weak. Under the memo, producers of critical software must “self-attest” to federal agencies that they are in compliance with the new development standards.

“An assertion from a software provider that they are following a cybersecurity standard is not sufficient,” said Jonathan Reiber, formerly chief strategy officer for cyber policy in the office of the Secretary of Defense in the Obama administration.

He said the government should rely on data from the companies rather than statements. “I hereby attest that I’m as fit as Dwayne Johnson,” he quipped, adding: “Uh-huh sure.”

Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, said in a blog post on Wednesday that the American people need access to secure and reliable software “that manages everything from tax returns to veteran’s health records.”

“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” DeRusha wrote. “With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”

Julie Dunne, former commissioner of the US General Services Administration’s federal acquisition service, and now at lobbying firm Monument Advocacy, said the rules place a “pretty significant compliance burden” on vendors. “All the big ones will be affected,” she said.

She cautioned that although the requirement focused on “self-attestation,” companies could still be liable for their products. “It’s going to be an important kind of quality assurance,” she added.

The Washington Post reported the memo’s publication earlier on Wednesday.

The guidance also requires federal agencies to conduct inventories in the next 90 days to ensure third-party software on government information systems complies with standards set by the National Institute of Standards and Technology.

Most Read from Bloomberg Businessweek

• The Ethereum Merge Ups the Stakes—and Reshapes the Crypto Universe

• Chinese Manufacturers Get Around US Tariffs With Some Help From Mexico

• It’s White-Collar Jobs That Are at Risk in the Next Recession

• A Dubious Truck, a Whistleblower Army, and Inept Spies: Inside the Very Weird Nikola Saga

©2022 Bloomberg L.P.