June 18, 2024 CISA’s Software Development Attestation Form – Survey

A crucial element of EO 14028, Software Bills of Materials, have only been incorporated into 16% of respondents’ development processes.

Just 20% of businesses affected by the U.S. Cybersecurity & Infrastructure Agency’s (CISA) Secure Software Development Attestation Form are ready to meet the impending compliance deadline of June 11, 2024, according to a survey of more than 100 security professionals. This form, which is a component of Executive Order (EO) 14028, mandates that software developers who collaborate with the US government follow and verify the implementation of critical security procedures.

Over 2,700 organizations in the United States were affected by software supply chain attacks in 2023, the most on record since 2017. The significance of adhering to EO 14028 is underscored by the 58% increase in the count of impacted companies during the last year. In addition to possible financial and legal repercussions, noncompliance with EO 14028 can make an organization more susceptible to cyberattacks and harm its reputation.

Given the looming threats and consequences, it’s alarming that 84% of respondents’ companies have not implemented Software Bills of Materials (SBOMs) into their development process, despite EO 14028 making SBOMs mandatory in May 2021. These findings demonstrate that, in many cases, the federal government’s efforts to prevent cyber infiltration have yet to translate into real-world action.

“Executive Order 14028 urges organizations working with government agencies to modernize their security protocols, including generating SBOMs and attestation to secure development practices, which is viewed as a major leap forward for national cybersecurity,” said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. “However, most organizations are unaware of their exposure and are inadequately protected, leaving them prone to supply chain attacks. IDC research found 23% of organizations surveyed experienced a software supply chain attack, a 241% increase from the prior year, affirming Lineaje’s call to increase awareness and urgency among cybersecurity professionals.”

Additional findings include:

• Many security professionals simply are unaware of EO 14028. Despite potential penalties associated with non-compliance, Lineaje’s survey revealed that 65% of respondents have never heard of EO 14028. Meanwhile, roughly half of those familiar with it are unaware of its specific criteria.
• Vulnerabilities top the list of software supply chain woes. Security vulnerabilities were the top concern for 56% of respondents, followed by adhering to compliance regulations (22%).
• Security professionals have serious concerns about open-source software, but many lack the tools to identify and mitigate those concerns. Nearly 60% of respondents said their companies used open-source components in their software, but only 16% could confidently say the average open-source software is secure. While a slight majority (56%) claim to have the tools to identify and mitigate these components, nearly a quarter were unsure, and nearly 20% had no tools. Meanwhile, 66% of respondents’ companies have invested in tools to find and fix vulnerabilities within internally-built software.
• Budget and staff restrictions could be responsible for lagging compliance and tool adoption. When asked about current limitations for securing their companies’ software, the top responses included budget limitations (45%) and lack of staffing resources (36%), which may explain the slower uptake of software supply chain security measures.

Subscribe to Industry Today