What does that guidance — which builds on a May 2021 executive order — mean for you?
First, we’ll get what Roger Cressey, former United States National Security Council member, calls the 400-pound gorilla out of the way: 85% of US government productivity and collaboration software is owned by Microsoft, with Cisco coming in a far second. There are few smaller companies landing contracts in this area — but this fact also puts a much higher level of responsibility for security squarely on Microsoft.
“Vendors must now step up and deliver more secure IT products, with fewer vulnerabilities,” AJ Grotto, the founding director of the Program on Geopolitics, Technology and Governance at the Stanford Cyber Policy Center, told Technical.ly. “And if they don’t, agencies should fire them and purchase products from a different vendor.”
Experts we spoke to said that the 2020 SolarWinds cyber attack was a catalyst for the order, known as the Executive Order on Improving the Nation’s Cybersecurity. The Tulsa, Oklahoma software company provides infrastructure and network monitoring tools for thousands of companies and organizations around the world – including local, state and federal agencies in the US. SolarWinds’ Orion platform suffered what is called a supply chain hack, threatening to compromise the data of over 30,000 public and private organizations that used the platform at the time. SolarWinds in 2021 estimated that the attack, known as SUNBURST, impacted “fewer than 100” customers.
“That’s the origin,” Cressey told Technical.ly. “In a nutshell, for too long the government has been buying crappy software from a wide variety of interests. And we need to start putting in place rules to ensure that the integrity of the software is at a higher level.”
Meeting new guidelines
The expectation isn’t perfectly secure, bug-free software, but software that consistently conforms to the guidelines issued by the National Institute of Standards and Technology (NIST), as per the 2021 EO. If it doesn’t, the company has the opportunity to come up with a plan to get its security up to the level it needs to be.
For massive, highly resourced companies like Microsoft, meeting the security requirements (requirements it should arguably already be meeting to protect its everyday customers) should be achievable.
There’s a chance that another company could move in if Microsoft doesn’t meet the order’s security requirements, however.
“If [Microsoft does] not do this the right way, a number of agencies are going to have a really interesting challenge on their hands to just rip and replace all the embedded Microsoft infrastructure,” Cressey said.
If Microsoft is able to comply, while that would mean fewer contracts for other companies, it would also mean more security across the board — not just for government agencies, but for businesses that use Microsoft and everyday consumers.
And that, Cressey says, would be good for the economy.
“This certainly has an impact on others up and down the supply chain,” he said. “It’s about extending a better understanding.”
What to expect if you’re a contractor
Now that the guidelines have been set, government agencies have 90 days to inventory all software subject to the requirements, and within 120 days to set up a consistent communication system with vendors.