Ex-CISA Chief: Biden Cybersecurity EO 'Raises the Standard' on IT Vendors

pcmag.com:

Heading up the government’s information-security efforts while the SolarWinds attacks went undetected, and then getting fired by President Trump for telling the truth about the integrity of the 2020 election, might make somebody pessimistic about the future of infosec. But Chris Krebs, former Cybersecurity and Infrastructure Security Agency (CISA) director, sounded surprisingly optimistic during a talk this week in D.C.

Speaking at the Hack the Capitol conference via video (because his wife had come down with COVID), Krebs pointed to President Biden’s May 2021 executive order on cybersecurity as one reason for that hope—not because of its consumer provisions like security labels for smart-home gadgets, but because of its tougher requirements for federal IT contractors.

"It finally realizes the key point, probably the greatest point of leverage, that the United States federal government has in cybersecurity, and that is the power of the purse,” Krebs told his interviewer, Scythe founder and CEO Bryson Bort.

The order mandates such upgrades from IT vendors as providing a software bill of materials for their products and participating in vulnerability-disclosure programs; telling them “you must be this tall to ride the federal government procurement process,” as Krebs phrased it.

"It's going to raise the standard,” he predicted. "Software companies are not going to bifurcate their code base for the federal government and for everyone else." 

Krebs did, however, suggest that Congress needs to stop scattering cybersecurity oversight among various subcommittees, a key recommendation of the March 2022 report of the government’s Cyberspace Solarium Commission. "We have to consolidate and streamline congressional oversight,” he