The departments of Commerce, Treasury, Homeland Security and the National Institutes of Health were all compromised. A large roster of private companies—among them Microsoft, Intel, Cisco, Deloitte, FireEye, and CrowdStrike—were also breached.
In response, a Biden EO required the Cybersecurity and Infrastructure Security Agency to establish a “common form” for self-attestation that organizations selling critical software to the federal government were complying with the provisions in the SSDF. The attestation had come from a company officer.
Trump’s EO removes that requirement and instead directs National Institute for Standards and Technology (NIST) to create a reference security implementation for the SSDF with no further attestation requirement. The new implementation will supplant SP 800-218, the government’s existing SSDF reference implementation, although the Trump EO calls for the new guidelines to be informed by it.
Critics said the change will allow government contractors to skirt directives that would require them to proactively fix the types of security vulnerabilities that enabled the SolarWinds compromise.
“That will allow folks to checkbox their way through ‘we copied the implementation’ without actually following the spirit of the security controls in SP 800-218,” Jake Williams, a former hacker for the National Security Agency who is now VP of research and development for cybersecurity firm Hunter Strategy, said in an interview. “Very few organizations actually comply with the provisions in SP 800-218 because they put some onerous security requirements on development environments, which are usually [like the] Wild West.”
The Trump EO also rolls back requirements that federal agencies adopt products that use encryption schemes that aren’t vulnerable to quantum computer attacks. Biden put these requirements in place in an attempt to jump-start the implementation of new quantum-resistant algorithms under development by NIST.
