[{"data":1,"prerenderedAt":518},["ShallowReactive",2],{"/en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers":3,"footer-en-us":51,"the-source-banner-en-us":385,"the-source-navigation-en-us":391,"article-site-categories-en-us":414,"the-source-newsletter-en-us":416,"national-cybersecurity-strategy-a-wake-up-call-for-software-developers-article-hero-category-en-us":423,"national-cybersecurity-strategy-a-wake-up-call-for-software-developers-the-source-source-cta-en-us":448,"national-cybersecurity-strategy-a-wake-up-call-for-software-developers-article-hero-author-en-us":458,"national-cybersecurity-strategy-a-wake-up-call-for-software-developers-category-en-us":482,"national-cybersecurity-strategy-a-wake-up-call-for-software-developers-the-source-resources-en-us":495},{"id":4,"title":5,"body":6,"category":7,"config":8,"content":14,"description":6,"extension":41,"meta":42,"navigation":43,"path":44,"seo":45,"slug":47,"stem":48,"type":49,"__hash__":50},"theSource/en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers.yml","National Cybersecurity Strategy A Wake Up Call For Software Developers",null,"security",{"layout":9,"template":10,"author":11,"featured":12,"sourceCTA":13},"the-source","TheSourceArticle","joel-krooswyk",false,"application-security-in-the-digital-age",{"title":15,"date":16,"description":17,"timeToRead":18,"heroImage":19,"keyTakeaways":20,"articleBody":24,"faq":25},"National Cybersecurity Strategy: A wake-up call for software developers","2023-03-07","The new White House policy puts liability for poor security on software makers. Learn how DevSecOps can protect your organization.","5 min read","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464383/klpmnmeqtsebmwgu1vps.png",[21,22,23],"The 2023 National Cybersecurity Strategy places a strong emphasis on software security, shifting the responsibility to software makers for the development, deployment, and maintenance of secure products.","The main aspects highlighted by the policy include collaboration, digital transformation, automation, and transparency.","An end-to-end DevSecOps platform aligns well with the new strategy, offering comprehensive solutions for software supply chain security, software inventory generation, and assurance of software trustworthiness.","The 2023 National Cybersecurity Strategy, which the White House released last week, should serve as a wake-up call to all organizations that develop software, whether for internal or external use. The policy puts the liability for poor security on software makers and requires a strengthening of security at every step of the software development lifecycle.\n\nThe policy shines a spotlight on the importance of collaboration, digital transformation, automation, and transparency. The White House is seeking to advance security-first posturing, eliminate the top cybersecurity threats, rebalance software security responsibility and data stewardship, defend against malicious actors, and forge international partnerships.\n\n“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product,” the White House strategy states.\n\nA replacement of the [2018 National Cyber Strategy](https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf), the 2023 policy focuses on five key pillars designed to improve national and global cybersecurity for the public and private sectors.\n\nThe five pillars of the 2023 National Cybersecurity Strategy are:\n\n* Defend Critical Infrastructure\n* Disrupt and Dismantle Threat Actors\n* Shape Market Forces to Drive Security and Resilience\n* Invest in a Resilient Future\n* Forge International Partnerships to Pursue Shared Goals\n\n## What the strategy means for software makers\nThe White House’s strategy puts the onus for developing, deploying, and maintaining secure software on software makers. It states that too many vendors “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.”\n\nIn addition, the strategy notes that software makers “are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.”\n\nDevelopers who fail to take reasonable precautions to secure their software will be held liable, according to the strategy, with the ultimate goal of encouraging the development of safer and more secure products and services. The White House plans to work with Congress to create legislation that establishes liability for software products and services.\n\n## DevSecOps and National Cybersecurity Strategy\nOne scalable and dependable way to align with the National Cybersecurity Strategy is with [a comprehensive DevSecOps approach](/topics/devsecops/), which integrates security and compliance into the developer experience.\n\nGitLab’s DevSecOps Platform helps software makers:\n\n- Secure their end-to-end [software supply chain](/blog/the-ultimate-guide-to-software-supply-chain-security/), including source, build, dependencies, and release artifacts\n- Create an inventory of software used with a [software bill of materials (SBOM)](/blog/the-ultimate-guide-to-sboms/)\n- Demonstrate their software is trustworthy via [SLSA](/blog/achieve-slsa-level-2-compliance-with-gitlab/)\n\nGitLab automatically scans vulnerabilities in source code, containers, dependencies, and running applications. By centralizing end-to-end collaboration, GitLab ensures the [\"secure-by-design\" principle](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/) recommended by the National Cybersecurity Strategy is applied in every phase of software  development.\n\nGitLab also helps companies track changes, implement necessary controls to protect what goes into production, and ensures adherence to license compliance and regulatory frameworks.\n\nThe White House’s strategy also proposes future legislation that will include safe harbor from liability for those that follow best practices like [NIST’s Secure Software Development Framework (SSDF)](/blog/comply-with-nist-secure-supply-chain-framework-with-gitlab/). GitLab has the built-in automation to support much of the NIST SSDF with little-to-no configuration required. Issue-based workflows, source code management, automated builds, broad-capability security scanning, code reviews, approvals, and environment visibility are all part of GitLab Ultimate.\n\nThe National Cybersecurity Strategy acknowledges that balancing short term imperatives with the vision for trust and safety in software will be a challenge for most organizations. Given the interdependencies and complexities of software development, organizations should assess the current state of their SDLC  and quickly identify what design, architectural, and operational changes they have to make to align with the White House’s proposed mandates.",[26,29,32,35,38],{"header":27,"content":28},"How does the strategy plan to hold software vendors accountable?","The strategy proposes working with Congress to establish legislation that enforces liability for software products and services that do not follow secure-by-design principles. By shifting legal accountability to those best positioned to prevent security flaws, the goal is to incentivize vendors to prioritize robust security throughout the software development lifecycle.",{"header":30,"content":31},"What does this mean for organizations building or maintaining software?","Organizations developing software will need to evaluate their entire development lifecycle to ensure alignment with the expectations outlined in the strategy. This includes adopting best practices for secure development, performing thorough testing, managing software components responsibly, and maintaining transparency through tools like SBOMs.",{"header":33,"content":34},"How can DevSecOps support compliance with the National Cybersecurity Strategy?","A DevSecOps approach ensures that security and compliance are integrated into every stage of the software development lifecycle. By using a unified platform, organizations can automate vulnerability scanning, track software components, manage security policies, and enforce compliance controls — all key aspects of aligning with the strategy’s objectives.",{"header":36,"content":37},"What role does GitLab play in supporting secure software practices?","GitLab’s DevSecOps platform provides built-in tools for vulnerability scanning, license compliance, source code protection, and regulatory adherence. It supports standards like the NIST Secure Software Development Framework (SSDF) with minimal configuration, helping teams implement secure-by-design principles and streamline reporting and accountability.",{"header":39,"content":40},"Why should software makers take this strategy seriously?","With the proposed legislative changes, software vendors that fail to adopt secure practices may face legal and financial consequences. This makes early alignment with the strategy not only a matter of national security, but also a proactive business decision.","yml",{},true,"/en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers",{"title":15,"description":17,"ogImage":19,"config":46},{"ignoreTitleCharLimit":43},"national-cybersecurity-strategy-a-wake-up-call-for-software-developers","en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers","article","UxPQV28htBE5WMCw4jxJ3VUD09Sjoqu4Vv7VggpYiS0",{"data":52},{"text":53,"source":54,"edit":60,"contribute":65,"config":70,"items":75,"minimal":374},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":55,"config":56},"View page source",{"href":57,"dataGaName":58,"dataGaLocation":59},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":61,"config":62},"Edit this page",{"href":63,"dataGaName":64,"dataGaLocation":59},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":66,"config":67},"Please contribute",{"href":68,"dataGaName":69,"dataGaLocation":59},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":71,"facebook":72,"youtube":73,"linkedin":74},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[76,133,190,249,312],{"title":77,"links":78,"subMenu":94},"Pricing",[79,84,89],{"text":80,"config":81},"View plans",{"href":82,"dataGaName":83,"dataGaLocation":59},"/pricing/","view plans",{"text":85,"config":86},"Why Premium?",{"href":87,"dataGaName":88,"dataGaLocation":59},"/pricing/premium/","why premium",{"text":90,"config":91},"Why Ultimate?",{"href":92,"dataGaName":93,"dataGaLocation":59},"/pricing/ultimate/","why ultimate",[95],{"title":96,"links":97},"Contact Us",[98,103,108,113,118,123,128],{"text":99,"config":100},"Contact sales",{"href":101,"dataGaName":102,"dataGaLocation":59},"/sales/","sales",{"text":104,"config":105},"Support portal",{"href":106,"dataGaName":107,"dataGaLocation":59},"https://support.gitlab.com","support portal",{"text":109,"config":110},"Customer portal",{"href":111,"dataGaName":112,"dataGaLocation":59},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":114,"config":115},"Status",{"href":116,"dataGaName":117,"dataGaLocation":59},"https://status.gitlab.com/","status",{"text":119,"config":120},"Terms of use",{"href":121,"dataGaName":122,"dataGaLocation":59},"/terms/","terms of use",{"text":124,"config":125},"Privacy statement",{"href":126,"dataGaName":127,"dataGaLocation":59},"/privacy/","privacy statement",{"text":129,"config":130},"Cookie preferences",{"dataGaName":131,"dataGaLocation":59,"id":132,"isOneTrustButton":43},"cookie preferences","ot-sdk-btn",{"title":134,"links":135,"subMenu":146},"Product",[136,141],{"text":137,"config":138},"DevSecOps platform",{"href":139,"dataGaName":140,"dataGaLocation":59},"/platform/","devsecops platform",{"text":142,"config":143},"AI-Assisted Development",{"href":144,"dataGaName":145,"dataGaLocation":59},"/gitlab-duo/","ai-assisted development",[147],{"title":148,"links":149},"Topics",[150,155,160,165,170,175,180,185],{"text":151,"config":152},"CICD",{"href":153,"dataGaName":154,"dataGaLocation":59},"/topics/ci-cd/","cicd",{"text":156,"config":157},"GitOps",{"href":158,"dataGaName":159,"dataGaLocation":59},"/topics/gitops/","gitops",{"text":161,"config":162},"DevOps",{"href":163,"dataGaName":164,"dataGaLocation":59},"/topics/devops/","devops",{"text":166,"config":167},"Version Control",{"href":168,"dataGaName":169,"dataGaLocation":59},"/topics/version-control/","version control",{"text":171,"config":172},"DevSecOps",{"href":173,"dataGaName":174,"dataGaLocation":59},"/topics/devsecops/","devsecops",{"text":176,"config":177},"Cloud Native",{"href":178,"dataGaName":179,"dataGaLocation":59},"/topics/cloud-native/","cloud native",{"text":181,"config":182},"AI for Coding",{"href":183,"dataGaName":184,"dataGaLocation":59},"/topics/devops/ai-for-coding/","ai for coding",{"text":186,"config":187},"Agentic AI",{"href":188,"dataGaName":189,"dataGaLocation":59},"/topics/agentic-ai/","agentic ai",{"title":191,"links":192},"Solutions",[193,197,202,207,212,216,221,224,229,234,239,244],{"text":194,"config":195},"Application Security Testing",{"href":196,"dataGaName":194,"dataGaLocation":59},"/solutions/application-security-testing/",{"text":198,"config":199},"Automated software delivery",{"href":200,"dataGaName":201,"dataGaLocation":59},"/solutions/delivery-automation/","automated software delivery",{"text":203,"config":204},"Agile development",{"href":205,"dataGaName":206,"dataGaLocation":59},"/solutions/agile-delivery/","agile delivery",{"text":208,"config":209},"SCM",{"href":210,"dataGaName":211,"dataGaLocation":59},"/solutions/source-code-management/","source code management",{"text":151,"config":213},{"href":214,"dataGaName":215,"dataGaLocation":59},"/solutions/continuous-integration/","continuous integration & delivery",{"text":217,"config":218},"Value stream management",{"href":219,"dataGaName":220,"dataGaLocation":59},"/solutions/value-stream-management/","value stream management",{"text":156,"config":222},{"href":223,"dataGaName":159,"dataGaLocation":59},"/solutions/gitops/",{"text":225,"config":226},"Enterprise",{"href":227,"dataGaName":228,"dataGaLocation":59},"/enterprise/","enterprise",{"text":230,"config":231},"Small business",{"href":232,"dataGaName":233,"dataGaLocation":59},"/small-business/","small business",{"text":235,"config":236},"Public sector",{"href":237,"dataGaName":238,"dataGaLocation":59},"/solutions/public-sector/","public sector",{"text":240,"config":241},"Education",{"href":242,"dataGaName":243,"dataGaLocation":59},"/solutions/education/","education",{"text":245,"config":246},"Financial services",{"href":247,"dataGaName":248,"dataGaLocation":59},"/solutions/finance/","financial services",{"title":250,"links":251},"Resources",[252,257,262,267,272,277,282,287,292,297,302,307],{"text":253,"config":254},"Install",{"href":255,"dataGaName":256,"dataGaLocation":59},"/install/","install",{"text":258,"config":259},"Quick start guides",{"href":260,"dataGaName":261,"dataGaLocation":59},"/get-started/","quick setup checklists",{"text":263,"config":264},"Learn",{"href":265,"dataGaName":266,"dataGaLocation":59},"https://university.gitlab.com/","learn",{"text":268,"config":269},"Product documentation",{"href":270,"dataGaName":271,"dataGaLocation":59},"https://docs.gitlab.com/","docs",{"text":273,"config":274},"Blog",{"href":275,"dataGaName":276,"dataGaLocation":59},"/blog/","blog",{"text":278,"config":279},"Customer success stories",{"href":280,"dataGaName":281,"dataGaLocation":59},"/customers/","customer success stories",{"text":283,"config":284},"Remote",{"href":285,"dataGaName":286,"dataGaLocation":59},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":288,"config":289},"GitLab Services",{"href":290,"dataGaName":291,"dataGaLocation":59},"/services/","services",{"text":293,"config":294},"Community",{"href":295,"dataGaName":296,"dataGaLocation":59},"/community/","community",{"text":298,"config":299},"Forum",{"href":300,"dataGaName":301,"dataGaLocation":59},"https://forum.gitlab.com/","forum",{"text":303,"config":304},"Events",{"href":305,"dataGaName":306,"dataGaLocation":59},"/events/","events",{"text":308,"config":309},"Partners",{"href":310,"dataGaName":311,"dataGaLocation":59},"/partners/","partners",{"title":313,"links":314},"Company",[315,320,325,330,335,340,345,349,354,359,364,369],{"text":316,"config":317},"About",{"href":318,"dataGaName":319,"dataGaLocation":59},"/company/","company",{"text":321,"config":322},"Jobs",{"href":323,"dataGaName":324,"dataGaLocation":59},"/jobs/","jobs",{"text":326,"config":327},"Leadership",{"href":328,"dataGaName":329,"dataGaLocation":59},"/company/team/e-group/","leadership",{"text":331,"config":332},"Team",{"href":333,"dataGaName":334,"dataGaLocation":59},"/company/team/","team",{"text":336,"config":337},"Handbook",{"href":338,"dataGaName":339,"dataGaLocation":59},"https://handbook.gitlab.com/","handbook",{"text":341,"config":342},"Investor relations",{"href":343,"dataGaName":344,"dataGaLocation":59},"https://ir.gitlab.com/","investor relations",{"text":346,"config":347},"Sustainability",{"href":348,"dataGaName":346,"dataGaLocation":59},"/sustainability/",{"text":350,"config":351},"Diversity, inclusion and belonging (DIB)",{"href":352,"dataGaName":353,"dataGaLocation":59},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":355,"config":356},"Trust Center",{"href":357,"dataGaName":358,"dataGaLocation":59},"/security/","trust center",{"text":360,"config":361},"Newsletter",{"href":362,"dataGaName":363,"dataGaLocation":59},"/company/contact/#contact-forms","newsletter",{"text":365,"config":366},"Press",{"href":367,"dataGaName":368,"dataGaLocation":59},"/press/","press",{"text":370,"config":371},"Modern Slavery Transparency Statement",{"href":372,"dataGaName":373,"dataGaLocation":59},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":375},[376,379,382],{"text":377,"config":378},"Terms",{"href":121,"dataGaName":122,"dataGaLocation":59},{"text":380,"config":381},"Cookies",{"dataGaName":131,"dataGaLocation":59,"id":132,"isOneTrustButton":43},{"text":383,"config":384},"Privacy",{"href":126,"dataGaName":127,"dataGaLocation":59},{"visibility":43,"title":386,"button":387},"The Intelligent Software Development Era: How AI is reshaping DevSecOps teams",{"config":388,"text":390},{"href":389},"/developer-survey/","Get the research report",{"logo":392,"subscribeLink":397,"navItems":401},{"altText":393,"config":394},"the source logo",{"src":395,"href":396},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":398,"config":399},"Subscribe",{"href":400},"#subscribe",[402,406,410],{"text":403,"config":404},"Artificial Intelligence",{"href":405},"/the-source/ai/",{"text":407,"config":408},"Security & Compliance",{"href":409},"/the-source/security/",{"text":411,"config":412},"Platform & Infrastructure",{"href":413},"/the-source/platform/",{"categoryNames":415},{"ai":403,"platform":411,"security":407},{"title":417,"description":418,"submitMessage":419,"formData":420},"The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":421},{"formId":422,"formName":363,"hideRequiredLabel":43},1077,{"id":424,"title":425,"body":6,"category":6,"config":426,"content":427,"description":6,"extension":41,"meta":442,"navigation":43,"path":443,"seo":444,"slug":7,"stem":445,"testContent":6,"type":446,"__hash__":447},"pages/en-us/the-source/security/index.yml","",{"layout":9},[428,435],{"componentName":429,"type":429,"componentContent":430},"TheSourceCategoryHero",{"title":407,"description":431,"image":432},"Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.",{"config":433},{"src":434},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",{"componentName":436,"type":436,"componentContent":437},"TheSourceCategoryMainSection",{"config":438},{"sourceCTAs":439},[440,441,13],"source-lp-guide-to-dynamic-sboms","source-lp-devsecops-the-key-to-modern-security-resilience",{},"/en-us/the-source/security",{"title":407,"description":431,"ogImage":434},"en-us/the-source/security/index","category","Yz-XSZ2w3Zg4r2_4aWlzq2kmfduukECmMNfXD6Ha26w",{"config":449,"title":450,"description":451,"link":452},{"slug":13},"Application security in the digital age","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are grappling with increasing attack surfaces and changing attitudes towards security and AI.",{"text":453,"config":454},"Read the report",{"href":455,"dataGaName":456,"dataGaLocation":457},"/developer-survey/2024/security-compliance/","Application Security in the Digital Age","thesource",{"id":459,"title":460,"body":6,"category":6,"config":461,"content":462,"description":6,"extension":41,"meta":476,"navigation":43,"path":477,"seo":478,"slug":11,"stem":479,"testContent":6,"type":480,"__hash__":481},"theSourceAuthors/en-us/the-source/authors/joel-krooswyk.yml","Joel Krooswyk",{"layout":9},[463,474],{"componentName":464,"type":464,"componentContent":465},"TheSourceAuthorHero",{"config":466,"name":460,"role":469,"bio":470,"headshot":471},{"gitlabHandle":467,"linkedInProfileUrl":468},"jkrooswyk","https://www.linkedin.com/in/joelrkrooswyk/","Federal CTO","Joel Krooswyk is the Federal CTO at GitLab. Joel has actively been involved in GitLab’s growth since 2017. His 25 years of leadership experience span not only the U.S. Public Sector, but also small, mid-market, and enterprise businesses globally. Joel combines deep government policy expertise with a wealth of experience in technology, software development, AI, and cybersecurity. He is frequently called upon by industry and agencies alike for policy commentary and response.",{"altText":460,"config":472},{"src":473},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463423/mkmdhuxsjggfvokdmdv7.jpg",{"componentName":475,"type":475},"TheSourceArticlesList",{},"/en-us/the-source/authors/joel-krooswyk",{"title":460},"en-us/the-source/authors/joel-krooswyk","author","i75DLuABeVjSJeWcKUolIMQf7SuZpCeNs2Ibd4a8NKM",{"id":424,"title":425,"body":6,"category":6,"config":483,"content":484,"description":6,"extension":41,"meta":493,"navigation":43,"path":443,"seo":494,"slug":7,"stem":445,"testContent":6,"type":446,"__hash__":447},{"layout":9},[485,489],{"componentName":429,"type":429,"componentContent":486},{"title":407,"description":431,"image":487},{"config":488},{"src":434},{"componentName":436,"type":436,"componentContent":490},{"config":491},{"sourceCTAs":492},[440,441,13],{},{"title":407,"description":431,"ogImage":434},[496,500,509],{"config":497,"title":450,"description":451,"link":498},{"slug":13},{"text":453,"config":499},{"href":455,"dataGaName":456,"dataGaLocation":457},{"config":501,"title":502,"description":503,"link":504},{"slug":441},"DevSecOps: The key to modern security resilience","Learn how embedding security in development can slash incident response time by 720x and save millions in security costs annually.",{"text":505,"config":506},"Download the guide",{"href":507,"dataGaName":508,"dataGaLocation":457},"/the-source/security/devsecops-the-key-to-modern-security-resilience/","DevSecOps the key to modern security resilience",{"config":510,"title":511,"description":512,"link":513},{"slug":440},"Guide to dynamic SBOMs: An integral element of modern software development","Learn how to gain visibility into previously unidentified organizational risks with a software bill of materials (SBOM).",{"text":514,"config":515},"Read the guide",{"href":516,"dataGaName":517,"dataGaLocation":457},"/the-source/security/guide-to-dynamic-sboms/","Guide to Dynamic SBOMs",1772652101697]