This brief allows you to get a quick understanding of the call for views on a new code of practice for software vendors that the Department for Science, Innovation and Technology (DSIT) has published.
Background
The Department for Science, Innovation and Technology (DSIT) is calling for views on a new code of practice for software vendors. This code aims to improve the security of software and make it more difficult for attackers to compromise systems. This most recent call for views draws upon continued engagement from DSIT with the sector. A previous call for views on software resilience and security, concluded in January 2024, highlighted the need for clearer expectations for vendors and stronger accountability. This new code forms a policy package from DSIT and aims to address these concerns and improve overall software security.
Relevant LGA responses and key lines
The LGA, along with other stakeholders, participated in the previous call for views and identified specific challenges faced by local government. Our response identified three core challenges facing local government:
- Local authorities deliver a range of services that require specialised software, and therefore have a unique set of software requirements. This means that councils are often faced with a lack of supplier options and a power imbalance between them and suppliers. This power imbalance sometimes results in suppliers not improving or sufficiently securing the software products on which councils and critical public services depend.
- The lack of transparency in software supply chains also presents councils with security risks that they are currently not able to adequately treat.
- When responding to a supplier cyber incident that impacts local government and residents, the current regulatory environment in recognising the supplier as the primary victim doesn’t not sufficiently support councils to manage their own risk to systems, services and residents, and therefore appears to not prioritise the needs and data security of residents.
As well as outlining challenges, our response outlined several recommendations to government to ensure council’s views were taken into account:
- Improve the transparency of supply chains, incentivise secure software development, and promote informed choice.
- Prioritise and support the development of a standard for aspects of software development and distribution.
- Support SME market disruption.
- Through Crown Commercial Services, improve secure procurement practices for local authorities.
- Strengthen regulation that compels suppliers to share information about incidents and associated risks in a timely manner.
- Introduce secure mechanisms for sharing information about vulnerabilities and malicious code between local government, developers, distributors and researchers.
We support DSIT's proposal for a code of practice for software vendors. This initiative directly addresses our concerns about supply chain vulnerabilities, a major issue for councils that requires a national solution. The dramatic rise in software supply chain attacks (742 per cent average annual increase between 2019 and 2022) has caused significant damage and service disruption in local government. Councils are eager for the development of measures that increase supply chain cybersecurity and make software vendors, distributors, and resellers more accountable.
Code of practice for software vendors
The voluntary code of practice for software vendors sets out the fundamental security and resilience measures that should be expected of all organisations that develop or sell software used by businesses and other organisations. The code of practice aims to strengthen the foundations of the many kinds of digital technologies that all sectors of our economy rely on.
Based on four principles contain 21 different provisions of what suppliers' senior responsible officers “shall” do and “should” do:
Principle 1: Secure design and development
This principle ensures that the product or service is appropriately secure when provided.
The Senior Responsible Officer in vendor organisations shall do the following:
1.1 Ensure the organisation follows an established secure development framework.
1.2 Ensure the organisation understands the composition of their software products and services and that risks linked to the ingestion and maintenance of third-party components, including open-source components, are assessed throughout the lifecycle.
1.3 Ensure the organisation has a clear process for testing software before distribution.
1.4 Ensure that the organisation follows secure by default principles throughout the development lifecycle of the product.
The Senior Responsible Officer in vendor organisations should do the following:
1.5 Ensure secure by design principles are followed throughout the development process.
1.6 Encourage the use of appropriate security tools and technologies to make sure that the default options throughout development and distribution are secure.
Principle 2: Build environment security
This principle ensures that the appropriate steps are taken to minimise the risk of build environments becoming compromised and protect the integrity and quality of the software.
2.1 Ensure the build environment is protected against unauthorised access.
The Senior Responsible Officer in vendor organisations should do the following:
2.2 Ensure changes to the environment are controlled and logged.
2.3 Ensure you are using a build pipeline you trust.
Principle 3: Secure deployment and maintenance
This principle is to ensure that the product or service remains secure throughout its lifetime, to minimise the likelihood and impact of vulnerabilities.
The Senior Responsible Officer in vendor organisations shall do the following:
3.1 Ensure that software is distributed securely to customers.
3.2 Ensure the organisation implements and publishes an effective vulnerability disclosure process.
3.3 Ensure the organisation has processes in place for proactively detecting and managing vulnerabilities in software components it uses and software it develops, including a documented process to assess the severity of vulnerabilities and prioritise responses.
3.4 Ensure that vulnerabilities are appropriately reported to the relevant parties.
3.5 Ensure the organisation provides timely security updates, patches and notifications to its customers.
Senior leaders in vendor organisations should do the following:
3.6 Make a public affirmation that the organisation would welcome security researchers to test software products and services provided by the organisation as part of its vulnerability disclosure process.
Principle 4: Communication with customers
This principle is to ensure that vendor organisations provide sufficient information to customers to enable effective risk and incident management.
The Senior Responsible Officer in software vendor organisations shall do the following:
4.1 Ensure the organisation provides information to the customer, in an accessible way, specifying the level of support and maintenance provided for the software product/ service being sold.
4.2 Ensure the organisation provides at least 1 year’s notice to customers, in an accessible way, of when the product or service will no longer be supported or maintained by the vendor.
4.3 Ensure information is made available to customers in an appropriate and timely manner about notable incidents that may cause significant impact to customer organisations.
The Senior Responsible Officer in vendor organisations should do the following:
4.4 Ensure that high level information about the security and resilience standards, frameworks, organisational commitments and procedures followed by the organisation is made available to customers.
4.5 Ensure that the organisation proactively supports affected customers during and following a cyber security incident to contain and mitigate the impacts of an incident. How this would be done should be documented and agreed in contracts with the customer.
4.6 Provide customer organisations with guidance on how to use, integrate, and configure the software product or service securely.
Considerations for local government
A successful code of practice has the potential to significantly enhance the accountability of software suppliers and increase transparency within the supplier market, ultimately leading to more secure software for all users.
While the code of practice is a positive step, key questions remain regarding implementation and maximising its impact:
- The voluntary nature of the code presents a challenge: incentivising suppliers to adopt it.
- Local government procurement often faces limited competition, with large incumbent suppliers often dictating terms. The code and its supporting documentation needs to address this unique dynamic.
- Implementing the code will likely require additional costs and skills development for suppliers. A dedicated support package should be considered to raise awareness and facilitate adoption.
These are all key discussion points and considerations as DSIT looks to engage with local government and beyond. The call for views emphasises a collaborative development process for the code of practice, ensuring continued stakeholder engagement. While the code is voluntary, DSIT acknowledges the potential need for legislation to ensure proper enforcement. The code is just one piece of a broader policy package. Another key element is the development of dedicated contract clauses, further strengthening cyber resilience within the software supply chain.
The LGA actively seeks to ensure local government's voice is heard:
- Individual council response: Councils can also submit individual responses via a survey closing on 9 August 2024.
The LGA encourages all councils to participate in these opportunities to shape a robust code of practice that strengthens cybersecurity in the software supply chain for the benefit of all.