Last Updated on January 19, 2024
The US Office of Management and Budget (OMB) just issued a memo to all federal agencies that bolsters security across the government’s software supply chain, as initially mandated by President Biden’s cybersecurity executive order from May 2021.
The memo requires agencies and their software vendors to comply with the NIST Secure Software Development Framework (SSDF), NIST 800-218, and the NIST Software Supply Chain Guidance documents—collectively termed “the NIST Guidance”—for all third-party software used on government systems or when processing government data. The memo also initiates a self-attestation security policy for software vendors.
Why is this important?
As evidenced by the SolarWinds software supply chain hack that spawned EO 14028, the global software supply chain is under continuous threat from our most sophisticated and determined nation state and criminal adversaries in the current cyber war. Their goals include compromising the integrity of US government systems, threatening US critical infrastructure and services, stealing sensitive and valuable data and intellectual property, and putting US national security and military operations at risk.
This memo, which outlines how NIST Guidance on securing the software supply chain will initially be implemented, specifies key steps to keep US government data and systems secure. Without these essential safeguards, the software our government depends on will continue to offer attackers a wide choice of high-severity vulnerabilities.
What does this apply to?
The mandate to apply NIST Guidance relates to all software developed after September 14, 2022, and to major version updates to current software. Regarding software developed internally, “agencies are expected to take appropriate steps to adopt and implement secure software development practices for agency-developed software.”
The OMB’s emphasis on attestation has equally sweeping ramifications. Agencies can only use software from vendors who can self-attest or provide third-party attestation that they comply with the NIST Guidance. Valid independent attestations can only come from certified FedRAMP assessors or other OMB-approved assessors.
What’s next for agencies?
The OMB memo mandates the following actions and timelines for federal agencies and their software suppliers:
- “within 90 days, agencies must inventory all software subject to the Memorandum;
- within 120 days, agencies will have developed a process to communicate requirements to vendors and ensure that vendor attestation letters can be collected in a central agency system;
- within 180 days, agencies must assess training needs and develop plans for the review and validation of attestation documents;
- within 270 days for critical software and within 365 days for all others, agencies will require self-attestations from all software producers; and
- as needed, obtain from software producers a Software Bill of Materials (SBOM) or other artifact(s) that demonstrate conformance to secure software development practices.”
- Within 365 days, agencies are required to collect attestations not publicly posted by software vendors for all applicable software.
- Within 180 days, the OMB in collaboration with the Cybersecurity and Infrastructure Security Administration (CISA) and General Services Administration (GSA) will develop a program plan for a secure, centralized repository for software attestations and related artifacts.
A standardized self-attestation form is forthcoming from the Federal Acquisition Regulatory Council. For critical software, agencies may also require a software bill of materials (SBOM). Agencies can request limited duration waivers to the above deadlines in the event of “exceptional circumstances.”
What’s next for software vendors?
Software vendors serving the government will need to act quickly to align their development practices with the NIST Guidance and prepare appropriate attestations. Vendors that cannot attest to compliance with the NIST Guidance must identify those practices they don’t yet support, document its risk mitigation approach for each, and present a Plan of Action & Milestones (POA&M) to address each noncompliant practice.
Want expert help assessing your current software development program and/or planning a roadmap for compliance with the NIST Guidance? Contact Pivot Point Security.
Want more details?
For more information, see these original sources:
- The OMB memorandum:
https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf - A “briefing blog” on the OMB memo from Chris DeRusha, Federal CISO and Deputy National Cyber Director
- Executive Order 14028 (most pertinently Section 4e):
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ - NIST SSDF version 1.1 and NIST 800-218:
https://csrc.nist.gov/publications/detail/sp/800-218/final - NIST software supply chain security guidance:
https://www.nist.gov/system/files/documents/2022/02/04/software-supply-chain-security-guidance-under-EO-14028-section-4e.pdf