As developers look back at 2022, the most important changes they might notice center on one of the most boring topics: compliance.
Indeed, compliance is not something that gets most developers — or most people in general — particularly excited. Talking about compliance frameworks and rules is not as fun as discussing programming languages or software architectures. Yet, changes to compliance requirements have arguably been among the factors that have exerted the most significant impact on development practices over the past year.
Here's what those changes to compliance policies entailed, and why they matter for developers.
The Two Major Changes to Compliance Policies in 2022
There were two key developments in the realm of compliance during 2022 that software developers should pay attention to.
Looming California Privacy Rights Act Requirements
The first is the impending implementation of the California Privacy Rights Act, or CPRA, which takes effect on Jan. 1, 2023. Although the new law won't actually become operational until the start of next year, smart developers spent 2022 learning about the CPRA's requirements and what it means for them.
They did so because the CPRA — which extends and enhances the privacy protections of the California Consumer Privacy Act, which took effect in 2020 — does have important implications for software development. Even though the language of the CPRA doesn't address software development specifically, the law imposes specific requirements regarding the way that businesses manage consumers' personal information. As a result, any developer who creates software that ingests, processes, or stores data related to individuals needs to understand the CRPA mandates before they go into effect.
Another important component of the CPRA that matters for developers is its language regarding automated decision-making. Although this language is relatively ambiguous, the CPRA has been interpreted to imply that businesses must provide individuals with the right to opt out of having decisions made about them using algorithms or machine learning. This means developers may need to think harder about where and how to use algorithmic data processing and AI tools in order to avoid running afoul of the CPRA.
For now, much remains unknown about exactly how the CPRA will be enforced, or how courts may interpret its ambiguous language related to topics like automated decision-making. But what is clear is that the CPRA has subtle but important implications for software developers, and that 2022 may turn out to have been the last year when developers could do things like write algorithms to process personal data without worrying about the compliance implications.
Software Supply Chains and SBOMs
The other major compliance development that impacted developers in 2022 was the growing importance of software supply chain security and pressure to create Software Bills of Materials, or SBOMs.
This activity continued a trend that dates to 2021, when revelations about the SolarWinds attack highlighted the importance of securing software supply chains. But 2022 saw even more efforts by major stakeholders — especially within the U.S. federal government — to develop and enforce initiatives designed to help protect against software supply chain risks. The Office of Management and Budget issued guidelines to this effect in September 2022, and the Cybersecurity & Infrastructure Security Agency (CISA) led an initiative to improve understanding of how businesses can use SBOMs to enhance security.
For now, most of the guidance related to software supply chain security and SBOMs remains just that — guidance. There are no legal mandates or compliance frameworks that impose specific requirements related to software supply chain management or SBOM generation (although the federal government requires SBOMs for federal agencies and their contractors).
Still, the writing on the wall should be clear enough for developers today: Going forward, having visibility into the software supply chain, and identifying risks within it, will be critical. Developers need to know which third-party software they rely on and whether any vulnerabilities exist in that software. Most developers may not face specific mandates in this regard at the current time, but there very likely will be increasing pressure for developers to secure supply chains and demonstrate to "downstream" users of their software that they know what is in the software.
Conclusion: Compliance and the Future of Software Development
At first glance, the compliance landscape of 2022 may not seem like something that developers need to pay attention to. No major new compliance frameworks came online, and no existing frameworks were overhauled.
But the impending implementation of the CPRA, combined with government activity related to software supply chain security, gave developers reason enough to follow the compliance domain closely over the past year — and to continue doing so in 2023, when we're likely to begin seeing how the CPRA is actually enforced, as well as whether software supply chain security initiatives will end up becoming part of specific regulatory requirements.
About the authorChristopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.