严重的全球信息技术(IT)安全攻击正在推动政府和商业IT采购发生重大变化. 由此产生的法规和法律对联邦合同和关键基础设施行业的影响越来越大, requiring an investment in policy, 风险-based cybersecurity management, standard operating procedure generation, additional tooling, personnel, and enterprise-wide training.
As a result, the government, investing community, 保险业希望将企业网络安全风险管理完全纳入各级业务和任务风险计划. From a regulatory and legal perspective, the days of IT being a purely support function operating in the background are at an end.
Facing increasing threats to vulnerable supply chains
外国对手已经将软件供应链武器化,以便进入IT系统进行信息收集, monetary and intellectual property theft and extortion, strategic and tactical advantage, and general disruption to normal functionality of governments and companies. Added to the weaknesses inherited in large supply chains, organizations are at a substantially increased 风险 of major disruption and loss compared to the past.
The largest criminal intrusion to date is the SolarWinds Attack of 2020, 其中俄罗斯利用软件供应链将漏洞引入SolarWinds软件的开源依赖. 这些漏洞被用来获取政府和商业系统的访问权限,目的是收集情报. 迄今为止,修复SolarWinds攻击已经花费了政府和行业超过1000亿美元,而且还在继续.
Absorbing the government response
To stem the tide of high-profile attacks, 世界各国政府正在制定新的法规和法律,规定最低限度的网络安全合规和报告标准. 对你.S. contractors, new regulations dictating responsibilities when developing, selecting, 或转售软件是2021年5月全球最大体育平台改善国家网络安全的行政命令(EO) 14028的结果. EO 14028要求所有涉及关键基础设施或向联邦政府销售软件或服务的公司制定政策, procedures, practices, 事件报告符合美国国家标准与技术研究院(NIST)网络安全供应链风险管理(C-SCRM)和安全软件开发框架(SSDF). 政府规定,这些要求涵盖了行政部门民事和国防方面的所有代码. This includes vetting all sources used to create code. 美国.S. 政府将在新的FAR Part(40)中整合网络供应链安全要求。. Until then, the 从ice of Management and Budget (OMB) has released interim guidance 要求代理机构采购在安全软件开发实践下全球最大体育平台和管理的软件,并由生产它们的公司证明.
In addition to the new federal contracting requirements, software developers must consider additional regulations, 法律, and policies at the federal, 状态, and local government levels; commercial client requirements; foreign IT requirements; insurance coverage mandates and limitations; and civil liability.
New liabilities impacting industries we support
联邦政府和保险行业现在要求公司对用于构建和购买软件的过程负责, requiring them to attest to the company’s coherence to secure development policies and procedures. Organizations will need to continuously vet the processes they use to build or acquire software. 目前没有遵循这些实践的公司将需要大量的时间和金钱投资来达到新的最低要求. 使用安全开发/构建环境完全实现安全软件开发生命周期(SSDLC)的成本, universal multi-factor authentication, least privilege authorization, artifact creation and retention, and associated legal costs to support attestation are not trivial.
Since implementation of these security controls is a prerequisite to obtaining future contracts, 相关成本不能直接收回,需要合并为组织的间接费用. 许多小型供应商和大型组织中的小型项目将没有资源来支付与软件开发和采购相关的初始设置和持续维护以及培训成本. 由于云产品的整合和自动化,这些额外的成本和减少的工作量预计会对小型承包商产生负面影响, thus reducing the number of qualified small businesses over the next decade.
In addition to the reduction of smaller contractors in the market, 这些法规变化将加速采用无/低代码软件即服务(SaaS)基于云的服务,这些服务已经纳入了联邦风险和授权管理计划(FedRAMP)下的安全控制。. Additionally, the government is looking to migrate legacy applications to Platform as a Service (PaaS) services, which are developed and maintained using Zero Trust principals, reducing the number of systems and code the government must secure on its own.
A Culling of Competition in the Market
Cybersecurity is now a first-tier requirement for Tetra Tech’s clients and their parent organizations. This is a key focus of Tetra Tech’s cybersecurity offering, which includes governance, 风险, and compliance, 网络程序开发和运营,以及零信任架构和安全软件供应链. This rapidly changing posture will have ramifications vertically and horizontally across organizations.
对于那些还不熟悉安全应用程序开发和管理的公司来说,未来几年将需要进行困难和昂贵的转换,才能继续留在市场上. In response to the regulatory and legal changes, 软件和服务公司已经开始对现有服务进行更新,并弃用不兼容的旧功能. 依赖过时功能的遗留应用程序将需要更新,以满足新的网络安全和强制的零信任环境, opening the door for companies that can train, 工作全球最大体育平台员, and implement policies and procedures compliant with the new requirements.
全球最大体育平台 the author
Tim Blum
Tim Blum is an IT consultant at Tetra Tech focusing on geospatial technologies, business intelligence, and project management.