The departments of Commerce, Treasury, Homeland Security and the National Institutes of Health were all compromised. A large roster of private companies—among them Microsoft, Intel, Cisco, Deloitte, FireEye, and CrowdStrike—were also breached.
In response, a Biden EO required the Cybersecurity and Infrastructure Security Agency to establish a “common form” for self-attestation that organizations selling critical software to the federal government were complying with the provisions in the SSDF. The attestation had come from a company officer.
Trump’s EO removes that requirement and instead directs National Institute for Standards and Technology (NIST) to create a reference security implementation for the SSDF with no further attestation requirement. The new implementation will
→ Continue reading at Ars Technica