The departments of Trade, Treasury, Homeland Security and the National Institutes of Health were all compromised. A large schedule of private companies – among them Microsoft, Intel, Cisco, Deloitte, Fireeeye and Crowdstrike – was also broken.
In response, a BIDEN EO required that the Cyber Security and Infrastructure Security Agency established a “common form” for self -immensation that organizations that sold critical software to the federal government took the provisions in the SSDF. The certificate came from a company officer.
Trump's EO removes that requirement and, instead, draws up the National Institute for Standards and Technology (NIST) to create an implementation of reference security for the SSDF without further certificate requirement. The new implementation will replace SP 800-218, the existing SSDF reference implementation of the government, although the Trump EO evokes to let the new guidelines know.
Critics said that the change will enable government contractors to circumvent guidelines for which they have to proactively repair the types of security vulnerabilities that make the compromise of the Solarwinds possible.
“That will enable people to make their way through 'we have copied the implementation' without following the spirit of the security controls in SP 800-218,” said Jake Williams, a former hacker for the National Security Agency who is now VP of an interview for cyber security company Hunter Strategy. “Very few organizations actually adhere to the provisions in SP 800-218 because they have a number of serious security requirements for developmental environments, which are usually [like the] Wild West. “
The Trump EO also rolls back the requirements that federal agencies accept products that use coding schedules that are not vulnerable to quantum computer attacks. Biden put these requirements in an attempt to start the implementation of new quantum -resistant algorithms in development.
