Software Security: Recent Policy Actions Highlight Importance of Mitigating Legal Risks

Recent high-profile cyber incidents involving exploitation of software vulnerabilities—such as the SolarWinds and MOVEit incidents—have increased scrutiny of the security of the software upon which corporate and government customers rely. Though phishing and social engineering continue to be leading causes of cyber incidents, there is growing potential legal exposure for companies from security vulnerabilities in software. For that reason, an expanding body of government guidance, key artifacts, and expectations is developing around software security. For example, recent years have seen:

• Initiatives to promote Secure-by-Design and -Default development practices and to place responsibility on software developers for meeting those standards
• Emphasis on the development and maintenance of software bills of materials (SBOMs) to support vulnerability management and incident response efforts
• Efforts to manage supply chain and vendor risk related to software purchases

This work is increasingly generating process-based expectations for secure software development lifecycles. And while, at first, these expectations will only be expressly legally binding in a limited set of contexts, such as government contracts, the trend is clearly toward increased legally binding expectations for software security. In short, while regulators may struggle to evaluate the security of any particular piece of software, they can be expected to increasingly focus on the security of development environments, testing processes, management of source code, identification and evaluation of component code, oversight of the development team, and other concrete elements of software development lifecycles, as well as representations (in SEC filings and otherwise) that can be scrutinized in hindsight. Companies that develop software, including for their own internal use, will benefit from understanding this trend and evaluating how to mitigate associated legal risks.

This Legal Update summarizes recent policy actions that reflect this trend toward increased legal scrutiny of software security, primarily in the United States. It then highlights key implications for companies that develop software as well as for companies that purchase software to include in their products or to support their regular operations.

Policy Actions Focused on Software Security

Software security featured heavily in President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity (Cyber EO), with the Cyber EO dedicating a section to “Enhancing Software Supply Chain Security.” The Cyber EO aimed to “use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.” To achieve this goal, the Cyber EO set out several new initiatives that were intended to establish secure development guidelines for software sold to the federal government, prioritize “critical software,” and create pilot consumer labeling programs for Internet of Things (IoT) devices and secure software development practices. 
The last two years have seen a flurry of policy activity in the United States relating to software security, many of which stem from the Cyber EO. These actions include:

• In October 2021, the Department of Justice (DOJ) announced a new “Civil Cyber-Fraud Initiative” with the stated goal of holding government contractors (including software developers) financially accountable for “knowingly providing deficient cybersecurity products or services” and “knowingly misrepresenting their cybersecurity practices or protocols” in connection with federal procurement. To-date, the DOJ has settled four cases under the Initiative (the highest for $9 million) and has made clear that it is focused on possible misrepresentations about the security of software sold to the government. Financial incentives to whistleblowers also will likely lead to accelerating qui tam actions.

• On September 14, 2022, the US Office of Management and Budget (OMB) published a memorandum, M-22-18, requiring federal agencies to comply with previously announced guidelines for ensuring the integrity of third-party software on an agency’s information systems or that otherwise affects government information. The memorandum required that “agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the National Institute of Standard and Technology (NIST) Guidance,” (i.e., the NIST Secure Software Development Framework (SSDF) and the NIST Software Supply Chain Security Guidance). This memorandum prioritized implementation of requirements for the “critical software” that NIST had previously defined.

• Released on January 26, 2023, the NIST Artificial Intelligence Risk Management Framework (NIST AI RMF) explained that “cybersecurity risk management considerations and approaches are applicable in the design, development, deployment, evaluation, and use of AI systems.” The NIST AI RMF pointed to the NIST SSDF as one reference for companies looking to “leverage[e] available standards and guidance that provide broad guidance to organizations to reduce security and privacy risks” relevant to AI.

• On March 2, 2023, the Biden-Harris Administration released its National Cybersecurity Strategy. Again, the Administration highlighted software security as a priority. The Strategy highlighted a new priority: to “shift liability onto those entities that fail to take reasonable precautions to secure their software,” albeit acknowledging that “even the most advanced software security programs cannot prevent all vulnerabilities.” In the subsequent implementation plan, the Administration further explained that the Office of the National Cyber Director (ONCD) would host a legal symposium to address this issue. The implementation plan also explained that, to advance other software security-related goals in the National Cyber Strategy: (1) the Cybersecurity and Infrastructure Security Agency (CISA) would work with key stakeholders “to identify and reduce gaps in SBOM scale and implementation,” “explore requirements for a globally-accessible database for end-of-life/end-of-support software,” and “convene an international staff-level working group on SBOM;” and (2) CISA will work to “build domestic and international support for an expectation of coordinated vulnerability disclosure among public and private entities, across all technology types and sectors, including through the creation of an international vulnerability coordinator code of practice.” 

• On July 18, 2023, the Biden-Harris Administration announced its “U.S. Cyber Trust Mark” initiative. Under this program, the Federal Communications Commission (FCC) will establish a voluntary certification and labeling program to guide and inform consumers purchasing IoT devices such as “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.” The FCC’s subsequent notice of proposed rulemaking asked for comment on reliance on 2022 guidance from NIST on cybersecurity labeling as the baseline for this program. Notably, that guidance focuses on security practices in the development process.

• On July 31, 2023, the public version of the annual report issued by the Committee on Foreign Investment in the United States highlighted its use of mitigation measures to ensure software integrity, including to address its concern about access to source code of software sold to government or critical infrastructure customers.

• On August 8, 2023, NIST released a draft of the Cybersecurity Framework (CSF) 2.0. That updated draft included new cross references to the SSDF and content updated to reflect “the latest NIST guidance and Framework practices related to cybersecurity supply chain risk management and secure software development.”

• On August 10, 2023, ONCD issued a request for information, in collaboration with other government agencies, on open source software security and memory-safe programming languages. Key questions posed to potential commenters included how “the federal government [should] contribute to driving down the most important systemic risks in open-source software.” 

• On October 3, 2023, the Department of Defense, General Services Administration, and NASA published a proposed rule to amend the Federal Acquisition Regulation (FAR) to impose new requirements around cyber threats and incident reporting and information sharing. Building on the Administration’s prior work on SBOMs, covered contractors would be required to develop and maintain an SBOM for any software used in the performance of a government contract—a requirement that would apply without regard to whether a security incident had occurred. The government believes SBOMs “can be critical in incident response, as they allow for prompt identification of any source of known vulnerability.”

On October 10, 2023, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Treasury Department released a joint fact sheet on “Improving Security of Open Source  Software in Operational Technology and Industrial Control Systems.” The agencies offered “recommendations for improving security of [Open Source Software (OSS)] in [Operational Technology (OT) and Industrial Control Systems (ICS)], starting at the senior leadership level” at OT vendors and critical infrastructure facilities. These recommendations addressed vendor support of OSS development and maintenance, vulnerability management, risk exposure reduction, vulnerability coordination, patch management, improving authentication and authorization policies, and establishing common frameworks across IT and OT.

While the above examples all pertain to the United States, governments from around the globe are showing a similar heighted interest in software security. In the European Union, for example, the proposed Cybersecurity Resiliency Act would impose software security requirements on the design, development and production of products with digital elements, continuing the trend of policymakers to look beyond system owners and operators to the developers of software themselves. And on April 13, 2023, CISA, the FBI, and the NSA joined with international partners from Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand to publish “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.” There “the authoring agencies urged manufacturers to revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers.” In addition to calling for secure development processes, these agencies encouraged manufacturers to ”make hard tradeoffs and investments, including those that will be ‘invisible’ to the customers, such as migrating to programming languages that eliminate widespread vulnerabilities.” They also discussed balancing security and usability, opining that manufacturers “should prioritize features, mechanisms, and implementation of tools that protect customers rather than product features that seem appealing but enlarge the attack surface.”

Key Implications for Businesses

In short, government expectations for software security are growing around the globe. While at present, these expectations are largely stated as guidance, the trajectory clearly points toward continued expansion in binding legal requirements. As companies contemplate this trend, they may wish to consider their approach to software security—particularly to the extent that they develop software, whether for internal or external use—in light of the following three key sources of legal risk:

• First, software developers may need to comply with any of the growing number of specific legal requirements for the security of software development practices. Whether imposed through government contract, regulation, or legislation like the anticipated Cybersecurity Resilience Act in the EU, ensuring a company’s compliance with applicable requirements will be critical to managing legal risk associated with software development activities.

• Second, companies that develop software or incorporate software into their products may need to meet  evolving regulatory expectations around software security. In the United States, for example, the Food and Drug Administration’s guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” explains how a company can use a “Secure Product Development Framework” to enhance the cybersecurity of medical devices. Likewise, federal agencies such as the National Highway Traffic Safety Administration and the Federal Trade Commission have emphasized the importance of software security, including by urging developers to consider security at the earliest stages of the development process. Relevant companies will benefit from considering how to meet these agencies’ expectations for software security, including as best practices continue to emerge in the field.

• Third, companies should anticipate increased liability risk in the coming years from lawsuits alleging that they either failed to meet best practices or use reasonable care for secure software development or did not live up to their representations regarding their software.  This increasing potential legal exposure is also being driven by security incidents that continue to have substantial consequences for individuals and businesses and intense scrutiny being paid to software vulnerabilities by members of the press and the security research community.

While these points primarily apply to companies that develop software or incorporate it into their products, all companies—as purchasers of software—will benefit from understanding the increased policy focus on software security. Software purchasers may want to follow the example set by the US government and prioritize the purchase of secure software, both to reduce risk to their businesses and to meet increasing regulatory expectations around supply chain and vendor management. In this context, contractual provisions relating to secure developments practices are likely to become of increased focus in relevant transactions in the coming years.