To print this article, all you need is to be registered or login on Mondaq.com.
Per Executive Order 14028, Improving the Nation’s
Cybersecurity, the Office of Management and Budget (OMB)
issued a memorandum on September 14, 2022 requiring
federal agencies to only use software from software producers that
attest compliance with secure software development guidance issued
by the National Institute of Standards and Technology (NIST).
The new agency requirements will apply to third-party software
used on government information systems or third-party software that
otherwise “affects” government information. Specifically,
agencies must require software producers to comply with two
documents: (1) the NIST Secure Software Development Framework
(NIST SP 800-218) and (2) the NIST Software Supply Chain Security Guidance
(collectively, “NIST Guidance”). “Software,” as
defined in the NIST Guidance, includes firmware, operating systems,
applications, application services (e.g., cloud-based software),
and products containing software. The requirements will apply to
software developed after the effective date of the memorandum, and
to existing software that is modified by any major version changes
after September 14, 2022.
Agencies must require attestation from software producers in one
of two ways:
- Self-Attestation: Agencies, at a minimum, must
require software producers to self-attest that their software
complies with the NIST Guidance prior to agency use. The
attestation is to be provided via a standard self-attestation form
and must be retained by the agency, unless the software producer
publicly posts the attestation. The memorandum allows agencies to
accept a Plan of Action & Milestones (POA&M) from the
software producer for secure development practices to which the
software producer cannot attest.
- Third-Party Assessment: Alternatively,
agencies may accept a third-party assessment conducted by a
certified FedRAMP Third Party Assessor Organization (3PAO) oran
assessor approved by the agency. The NIST Guidance is to be used as
the assessment baseline. Based on the criticality of the software,
agencies may require a third party assessment in some cases.
Additionally, agencies may require software producers to provide
artifacts demonstrating proof of the software development practices
underlying the attestation. This could include a Software Bill of
Materials (SBOM), evidence of participation in a Vulnerability
Disclosure Program, or any other artifacts an agency deems
necessary.
The memorandum provides the following timeline for key
milestones over the next year:
- Agencies are to inventory their software within 90 days,
separately identifying “critical software” (NIST’s
definition of “critical software” is discussed here); - Agencies will develop a process to communicate requirements to
software producers within 120 days (by January 12, 2023); - Agencies will begin collecting attestation letters for critical
software within 270 days (by June 11, 2023); - Agencies will begin collecting attestation letters for all
other software subject to the memorandum within 365 days (by
September 14, 2023).
What contractors should do now. Contractors
that produce or sell software to the government should prepare for
the new security and attestation requirements. Software producers
should take this time to evaluate their software and ensure
compliance with the NIST Guidance. Software resellers should review
their software offerings and consider reaching out to software
producers for assurances that they will be able to meet the
requirements. While the memorandum and Executive Order 14028
contemplate updates to the Federal Acquisition Regulation (FAR)
relating to secure software development practices and associated
attestation form, we have yet to see an open FAR case on this and
contractors should not wait for that to happen. It is expected that
agencies will begin incorporating language specifying new
requirements in solicitations and contracts in accordance with the
timelines outlined above.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Government, Public Sector from United States
