80 percent of organizations not ready for CISA rules on security practices
The US Cybersecurity and Infrastructure Agency's (CISA) Secure Software Development Attestation Form rules come into force on June 11, 2024.
This requires software producers who work with the US government to adhere to and confirm the deployment of key security practices. But new research from Lineaje reveals that 80 percent of companies are not ready.
The report also finds that 84 percent of respondents' companies have not implemented software bills of materials (SBOMs) into their development process, despite Executive Order 14028 making SBOMs mandatory in May 2021. These findings demonstrate that, in many cases, the federal government's efforts to prevent cyber infiltration have yet to translate into real-world action.
Despite there being potential penalties associated with non-compliance, Lineaje's survey reveals that 65 percent of respondents have never heard of EO 14028, while roughly half of those familiar with it are unaware of its specific criteria.
"The efforts of the federal government to safeguard our software supply chain are laudable—but it's clear that awareness has fallen short," says Javed Hasan, CEO and co-founder of Lineaje. "While businesses can't build without open-source software, they also can't survive long-term if that same open-source software is riddled with security vulnerabilities. Software vendors and cybersecurity professionals need to educate themselves and take immediate action on the upcoming compliance deadlines to protect their organizations and contribute to enhancing the nation's overall cybersecurity posture.”
Among other findings nearly 60 percent of respondents say their companies use open-source components in their software, but only 16 percent can confidently say the average open-source software is secure. While a slight majority (56 percent) claim to have the tools to identify and mitigate these components, nearly a quarter are unsure, and nearly 20 percent have no tools. Meanwhile, 66 percent of respondents' companies have invested in tools to find and fix vulnerabilities within internally-built software.
You can read more on the Lineaje blog.
Image credit: IgorVetushko/depositphotos.com