F5, SolarWinds, and the Lethargy of the FAR Council

On Oct. 15, technology company F5—which advertises itself as being trusted by 85 percent of the Fortune 500—disclosed that it had been investigating unauthorized access to its systems since Aug. 9. As part of the investigation, the company learned that malicious actors had maintained “long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform.” BIG-IP is a widely used application delivery controller, which helps load balance user requests across servers, the type of core networking function that allows the internet to operate.

By September, F5 determined that the incident was “material” (in the financial securities sense) and petitioned the United States attorney general to delay providing public notice of the incident due to substantial risk to national security or public safety. When F5 did reveal the matter to the public, it combined the notification with security patches for an array of its products. The Cybersecurity and Infrastructure Security Agency (CISA) promptly issued an emergency directive requiring federal agencies to patch affected F5 products within a week—and outside of the normal patch prioritization process—due to the risk that the actor that breached F5 could have used the stolen information to develop exploits for these vulnerabilities. According to estimates, anywhere from 250,000 to more than 600,000 internet-exposed devices remain vulnerable if they have not been patched.

The good news is that there is not yet evidence that malicious actors are exploiting F5 devices. In addition, we have yet to see evidence of any changes to the F5 codebase. But even if malicious actors have yet to exploit vulnerabilities from the breach, the kinds of technical specifications and code they stole from F5 could provide blueprints to carry out new hacks for years to come. And, as demonstrated in the case of SolarWinds—a massive software supply chain incident with parallels to the F5 breach—a clever nation-state does not have to alter source code to be able to plant an insidious backdoor.

SolarWinds prompted a massive government response to ensure that such deep access to development environments would not happen again. For example, the State Department’s investments in logging enabled government cybersecurity professionals to discover advanced Chinese actors stealing data from the Office 365 cloud environment.

However, nearly four and a half years later, the core policy change by the Biden administration in response to SolarWinds—updates to government procurement regulation that seek to leverage the $100 billion in information technology spending by the federal government to require secure software development practices—remains unimplemented. The policy exists, but it has not been executed. And even with the continued focus on secure-by-demand policies in the Trump administration, progress remains at a standstill.

The Federal Acquisition Regulatory Council (FAR Council), which administers federal procurement law by issuing rules to amend the Federal Acquisition Regulation, has three cases on its docket, pending since 2021, that could have played a role in preventing an incident such as F5 by providing enhanced cybersecurity requirements for the company’s software development processes. As a matter of policy, President Trump’s June cyber executive order leaves in place the bulk of the secure-by-demand requirements, yet the FAR Council does not predict initial action on secure-by-demand rules until mid-2026. 

The failure to change acquisition regulations, despite bipartisan support in Congress and across two administrations, calls into question the idea that government, as the biggest purchaser of information technology in the country, can act as a key lever to make software used across the country more secure—unless and until changes are made to the FAR Council.

An Encouraging Start

Following the SolarWinds incident in 2020, policymakers recognized a clear need to improve secure software development practices. Russian actors broke into the “production environment,” where SolarWinds engineers wrote the software that powered their products. Rather than changing the software’s source code itself, they injected novel, malicious instructions at the end of the build process, which transforms source code into runnable applications, creating a backdoor they could use to gain access to the software later. The Russians then leveraged their control over the SolarWinds products to steal keys that allowed them to access their end goal: sensitive data stored in cloud environments. As a result, SolarWinds gave Russia the ability to spy on more than 16,000 systems worldwide. 

The aftermath of the SolarWinds incident laid bare the need to strengthen detection capabilities such as logging for users of software products, and the need to improve the security of software itself—from the operational security of development environments to transparency about software components. In response to the hack, Congress and the incoming Biden administration acted with commendable alacrity.

The American Rescue Plan Act, which passed in March 2021, allocated $650 million to improve agency cybersecurity, including through the deployment of endpoint detection and response (EDR) software and advanced logging tools. Congress also passed the Internet of Things Cybersecurity Improvement Act of 2020 just weeks before news of SolarWinds became public. The law requires the development of clear guidelines for the procurement and operation of Internet of Things (IoT) devices, themes that would shortly be echoed by the Biden administration.

On May 12, 2021, the White House released Executive Order 14028 on “Improving the Nation’s Cybersecurity.” This sweeping policy document reinforced requirements for federal agencies to deploy EDR, multifactor authentication, and logging, all with a view toward reducing the potential harm if a malicious actor were able to gain access to a government system.

Even more consequential, however, were the executive order’s requirements on federal contractors. For the first time, contractors—such as information technology and operational technology providers—would be held to consistent incident reporting and log retention standards. What’s more, President Biden’s executive order required procurement regulations to be revised to be “secure-by-demand,” that is, requiring that the software licensed by the government was produced in line with secure software development life cycle guidelines produced by the National Institute of Standards and Technology (NIST).

Executive Order 14028 also specifically directed the FAR Council to propose various regulations, including removing barriers to sharing threat information within 150 days of the order; requiring incident reporting within 135 days; standardizing contract language related to cybersecurity requirements within 120 days; and enhancing software supply chain security, after receiving a report due one year after the order was issued. 

By September 2021, implementation of the executive order seemed to be largely on track. One hundred and nineteen days after the executive order, the FAR Council’s Unified Agenda listed two new cases pertaining to draft rules. Case 2021-017 covered the information sharing and incident reporting requirements. Case 2021-019 covered the standard contract language requirements. Per the agenda, both draft rules would be released in February 2022, approximately 270 days after the issuance of the executive order.

Delays Pile Up

February 2022 came and went without publication of either draft. A month later, the FAR Council released updated guidance: The notices of proposed rulemaking (NPRMs) on both information sharing and reporting, as well as standard contract language requirements, were expected to come out in August. By the fall, however, the timeline had slipped to December.

Meanwhile, the software supply chain security rulemaking was even further behind. Despite NIST’s new version of its secure software development life cycle guidance—and attendant actions by the Office of Management and Budget (OMB) and CISA to prepare for the collection of software self-attestation forms—the FAR Council did not even open a case on software supply chain security in 2022, much less issue a draft rule. 

In March 2023, the Biden administration released its National Cybersecurity Strategy. Under the pillar referencing market forces, Objective 3.5 was entitled “Leverage Federal Procurement to Improve Accountability.” The strategy stated: 

Contracting requirements for vendors that sell to the Federal Government have been an effective tool for improving cybersecurity. EO 14028, “Improving the Nation’s Cybersecurity,” expands upon this approach, ensuring that contract requirements for cybersecurity are strengthened and standardized across Federal agencies. 

As part of the strategy’s implementation plan, the administration set new deadlines, with draft rules due by the end of 2023. That October, the FAR Council released NPRMs for Cases 2021-017 and 2021-019. With the release of the NPRMs, elements from the IoT Cybersecurity Improvement Act of 2020 were officially incorporated into Case 2021-019, focused on standardizing contract requirements. One element of the executive order’s section 4, the requirements related to the provision of software bills of materials, was also incorporated into Case 2021-017.

However, despite the implementation plan, the bulk of the software supply chain security requirements from Executive Order 14028 remained in limbo, with no progress besides adding a new item to the FAR Council docket, Case 2023-02, which stated that a draft rule could be expected in November

In November 2023, the FAR Council extended the comment period for the two draft rules until February 2024. As of this writing, there has been no substantive progress on any of the three cases since. The latest update on Case 2021-017 (on information sharing and incident reporting) is that a report on the matter was tasked to council staff on Feb. 28, 2024, with an original due date of April 2024. That report is still pending. With each status update on open FAR cases, the due date has been extended. 

For Case 2021-019 (on contract standardization), civilian and defense regulatory staff have reportedly been “resolving differences” on portions of the rule since Dec. 5, 2024. The rule itself was originally due in December 2024. And for the most recent Case 2023-02 (on software supply chain security), civilian and defense regulatory staff have also reportedly been working to resolve “issues” in the draft rule that were identified by OMB since May 30, 2024.

Going Around the FAR Council 

The above tale of FAR Council inaction does leave out a modicum of progress that has occurred in implementing Executive Order 14028’s software supply chain security provisions. In September 2022, OMB released a memorandum directing federal departments and agencies to comply with NIST’s guidance on secure software development. The memo required that agencies begin collecting secure software development self-attestation forms from vendors within one year. That process, however, was delayed in a June 2023 memo until six months after CISA composed and finalized a common self-attestation form, which the agency did in March 2024.

There are two main challenges with using OMB memos leveraging Federal Information Security Modernization Act authorities to enforce procurement in the place of acquisition regulations. First, implementation of OMB directives has been spotty. Several inspectors general reviews of agencies have highlighted deficiencies in their procurement processes related to collecting and reviewing self-attestation forms—the very mechanism that the OMB memo relies on. This is not surprising. The Federal Acquisition Regulation exists in large part due to the difficulty in getting the hundreds of agencies and their subcomponents on the same page with respect to procurement. Creating additional requirements outside that regulation adds an entirely new, burdensome set of processes and accountability mechanisms.

Second, the Biden White House itself noted inadequacy with its own program. Executive Order 14144, issued in the waning hours of the administration, included several additional provisions related to software supply chain security. In particular, the executive order repudiated the self-attestation approach, requiring vendors to provide “artifacts” to demonstrate their compliance with NIST guidelines. Ironically, despite the lack of even a draft rule for Case 2023-02—and a pile-up of previous cases that still have not been processed—the executive order tasked the FAR Council to implement the changes related to software supply chain security within 150 days.

Unfinished Business 

In June, the Trump administration issued its first cybersecurity executive order. It represented an evolution—not a revolution—in approach to the topic, continuing a trend that traces back to the Clinton administration. That continuation is apparent in its execution: It largely amends Biden’s Executive Order 14144, rather than repealing or replacing it—and it doesn’t touch Executive Order 14028, “Improving the Nation’s Cybersecurity.” The Trump executive order does, however, remove the software supply chain security provisions in Executive Order 14144 related to contracting, claiming that they “[i]mpos[ed] unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.” Incidentally, the acquisition regulation—which still has not been released in draft form—need not confine itself to self-attestation if the current administration has proposals to incentivize genuine security investments different from those in Executive Order 14144.

Nonetheless, the Trump administration has published updated timelines for the implementation of all three FAR rules pertaining to cybersecurity. The cases on information sharing and incident reporting (2021-019) and contract standardization (2021-017) were expected to close with final rules in November 2025 and February 2026, respectively. Meanwhile, the NPRM for the case on software supply chain security (2023-02) is now slated for release in June 2026. If the FAR Council sticks to its timelines, it is indeed possible that the supply chain cybersecurity practices that are directly applicable to incidents such as the F5 breach and SolarWinds could eventually be baked into every federal contract.

However, if the past four years are a guide, it will take a determined effort by very senior government officials to carry these provisions across the finish line. Despite an executive order, a supplemental OMB memorandum, and a national strategy and its more prescriptive implementation plan, the FAR Council has extended its own due date for 19 months—and it’s now missed its first deadline under the Trump administration. What’s more, the FAR Council has still not issued a final rule for a separate information technology-related case that was opened in 2017.

Failing to address the FAR Council’s inability to move key cybersecurity rules damages a core element of U.S. cyber doctrine. The 2018 and 2023 national cyber strategies use near-identical language. From 2018: “The Federal Government will use its purchasing power to drive sector-wide improvement in products and services.” And 2023: “We will use Federal purchasing power and grant-making to incentivize security.” Likewise, industry has been pushing this approach for more than 15 years.

The policy thesis is simple: As the largest purchaser of software in the world, the U.S. government can incentivize investments in security as a condition for being an approved vendor. Due to the extremely low marginal costs of software, these cybersecurity improvements will end up being available to other software users as well.

However, if the government cannot actually implement new cybersecurity purchasing rules, this theory of change falls on its face. The government ends up remaining vulnerable due to insufficient software supply chain security—as does the broader information ecosystem.

Secure software development comprises a range of practices, from pre-market quality assurance to post-market vulnerability management to continual monitoring to maintain the integrity of development environments. Nearly five years after SolarWinds, the F5 incident highlights that America’s most sophisticated adversaries are still looking to target software makers’ crown jewels. The policy approach to software supply chain security in Executive Order 14028, itself drawing on principles advanced by the first Trump administration, is sound on its face and addresses gaps highlighted in both of these incidents. But after years of failure to implement that approach, it is time for accountability—or a new strategy altogether. The FAR Council has been marketing procurement vaporware for long enough.