What Modifications to Compliance Policies Mean for Developers

    Compliance Policies

    The most significant changes that developers may observe as they reflect on the year 2022 are focused on compliance, one of the least interesting subjects.

    Compliance is not a topic that particularly excites most developers or people in general. Discussions of programming languages or software architectures are more enjoyable than discussions of compliance frameworks and regulations.

    However, it’s arguable that among the elements that have significantly influenced development practices over the past year are changes to compliance requirements.

    In 2023, businesses will probably start observing how the compliance policies are put into practice and whether initiatives for software supply chain security will ultimately become part of precise regulatory requirements.

    Here is what those modifications to the compliance policies entailed and why developers should care.

    The Two Biggest Compliance Policy Changes in 2022

    Software developers need to be aware of two significant compliance-related developments that will happen in 2022. The first is the CPRA, or California Privacy Rights Act, which will go into effect on January 1, 2023.

    They did this because the California Consumer Privacy Act (CPRA), enacted in 2020 and extends and strengthens the California Consumer Privacy Act’s privacy protections, has significant implications for software development.

    Although the CPRA’s language doesn’t specifically mention software development, the law imposes specific guidelines for how companies must handle customers’ personal data. Because of this, before the CRPA requirements take effect, any developer who produces software that ingests, processes, or stores data about individuals must be familiar with them.

    Developers should pay attention to the CPRA’s language regarding automated decision-making, which is another crucial aspect. Although the CPRA’s language is somewhat ambiguous, it has been interpreted to mean that companies must allow people to refuse to make decisions about them using algorithms or machine learning.

    This implies that in order to comply with the CPRA, developers may need to consider more carefully when and how to use algorithmic data processing and AI tools.

    Many details about the CPRA’s implementation and potential court interpretations of its ambiguous language regarding issues like automated decision-making remain unclear as of yet. What is certain, however, is that the CPRA has important but subtle ramifications for software developers and that 2022 may end up being the final year in which developers could write algorithms to process personal data without being concerned about the compliance repercussions.

    SBOMs and Software Supply Chains

    The pressure to create Software Bills of Materials, or SBOMs, and the increasing significance of software supply chain security were the other significant compliance developments that had an impact on developers in 2022.

    This activity carried on a pattern that began in 2021 when information about the SolarWinds attack made it clear how crucial it is to secure software supply chains. The U.S. federal government in particular increased its efforts in 2022 to create and implement programs meant to help mitigate the risks associated with the software supply chain.

    In September 2022, the Office of Management and Budget released guidelines to that effect, and the Cybersecurity & Infrastructure Security Agency (CISA) spearheaded a project to advance knowledge of how companies can use SBOMs to strengthen security.

    The majority of the advice concerning software supply chain security and SBOMs is still only advice for the time being. Software supply chain management and SBOM generation are not subject to any legal mandates or compliance frameworks that impose specific requirements.

    Even so, developers today should be able to see the writing on the wall: in the future, it will be crucial to have visibility into the software supply chain and be able to spot risks there. Developers must be aware of which third-party software they use and whether it has any security flaws.

    The majority of developers might not currently be subject to specific requirements in this area, but the pressure to secure supply chains and show “downstream” users of their software that they are aware of its contents will presumably grow.

    The Future of Software Development and Compliance

    The compliance landscape of 2022 might not initially appear to be something that developers should be concerned about. No significant updates or brand-new compliance frameworks were made to any existing ones.

    However, the CPRA’s impending implementation and government initiatives concerning software supply chain security gave developers enough of a reason to pay close attention to the compliance space over the previous year. To do so in 2023, businesses will probably start observing how the CPRA is put into practice and whether initiatives for software supply chain security will ultimately become part of precise regulatory requirements.