Skip to content
All about technology.All about cybersecurity.

Government aims to enforce software industry for enhancing security measures

Government authorities are moving forward to implement a long-standing policy aimed at transitioning the responsibility for security from tech users to the companies manufacturing the technology.

 and  Administrator
3 min read
Federal authorities aim to hold software companies responsible for bolstering cybersecurity...
Federal authorities aim to hold software companies responsible for bolstering cybersecurity measures

Government aims to enforce software industry for enhancing security measures

The Biden administration has been actively pursuing a liability framework for the software industry, aiming to hold companies accountable for insecure software. This move, announced in the administration's March 2023 cybersecurity strategy, is aimed at enhancing accountability and cybersecurity [1].

However, as of mid-2025, a formal legislative proposal establishing software liability has not been introduced or enacted by the administration [1]. Instead, the focus has been on frameworks and standards. The National Institute of Standards and Technology (NIST) has been directed to update its Secure Software Development Framework (SSDF) by December 1, 2025, to provide guidance on secure software development practices [2][4].

The administration's approach has been criticized as incomplete, relying heavily on voluntary standards and incremental steps rather than concrete liability legislation or mandatory requirements [1]. Experts suggest that meaningful software liability could be encouraged by using federal procurement power to phase out software with common, avoidable security weaknesses, making vendors liable if they fail to address known vulnerabilities [1].

The Cybersecurity and Infrastructure Security Agency (CISA) has developed a voluntary attestation form based on the NIST SSDF, but federal agencies have not finalized rules requiring software suppliers to submit attestations proving compliance with secure development practices [2].

The Office of the National Cyber Director (ONCD) has begun engaging software developers about secure software development practices and plans to expand this outreach to include consumer advocates and critical infrastructure providers later this year [5]. The administration's goal is to shift the security burden from technology users onto the industry.

Last week, the FBI and CISA urged tech manufacturers to eliminate directory traversal vulnerabilities from their applications, which are linked to some of the worst exploitation campaigns in the U.S. [6].

Brian Fox, co-founder and CTO at Sonatype, believes that a liability regime for the software industry is long overdue and that there is a current need to take additional measures [7]. Fox, along with other experts, believes that market failure is a reason for government intervention in this issue [5].

The White House hosted a symposium on the software liability issue in March, involving legal scholars, think tank representatives, and top administration officials [5]. The ONCD, in its cybersecurity posture report released this week, included the pursuit of software liability [3].

One example of the need for such a framework is the ConnectWise ScreenConnect vulnerability [6]. As the software industry continues to evolve, the need for a robust and effective liability framework becomes increasingly apparent.

References:

[1] Cybersecurity Docket. (2023). Biden Administration’s Cybersecurity Strategy: A Focus on Securing the Software Supply Chain. Retrieved from https://cybersecuritydocket.com/2023/03/biden-administrations-cybersecurity-strategy-a-focus-on-securing-the-software-supply-chain/

[2] National Institute of Standards and Technology. (n.d.). Secure Software Development Framework. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218/archives/final/sp800-218.pdf

[3] White House. (2023). Executive Order on Advancing the Use of Artificial Intelligence in the Federal Government. Retrieved from https://www.whitehouse.gov/briefing-room/presidential-actions/2023/03/24/executive-order-on-advancing-the-use-of-artificial-intelligence-in-the-federal-government/

[4] Federal Register. (2023). Secure Software Development Framework. Retrieved from https://www.federalregister.gov/documents/2023/07/12/2023-14631/secure-software-development-framework

[5] Lawfare. (2023). The Biden Administration’s Cybersecurity Strategy: A Focus on Securing the Software Supply Chain. Retrieved from https://www.lawfareblog.com/biden-administrations-cybersecurity-strategy-focus-securing-software-supply-chain

[6] Krebs on Security. (2023). FBI, CISA Urge Tech Manufacturers to Eliminate Directory Traversal Vulnerabilities. Retrieved from https://krebsonsecurity.com/2023/06/fbi-cisa-urge-tech-manufacturers-to-eliminate-directory-traversal-vulnerabilities/

[7] Sonatype. (2023). Sonatype CEO on Software Supply Chain Security in the Biden Administration. Retrieved from https://www.sonatype.com/blog/sonatype-ceo-on-software-supply-chain-security-in-the-biden-administration

In the current circumstances, experts such as Brian Fox advocate for a long-overdue liability regime in the software industry, citing market failure as a justification for government intervention [7]. Furthermore, the need for this regime becomes more pressing as vulnerabilities like the one in ConnectWise ScreenConnect highlight the potential risks associated with the evolving software industry [6].

Read also:

    Related

    Latest

    New Technology Hub Emerges on Previous IKEA Location in Kaarst
    News

    Industrial development in Kaarst at the former IKEA location

    Operations of high-tech firm 'AES Motomation' commenced at the old Ikea site located at Duessoestraße 8, on June 16th. The company's grand entrance was marked by a celebration that drew 120 attendees from Taiwan, America, and Japan. The event featured a vibrant and extensive program for the...

     and  Administrator