December 1, 2022

Volume XII, Number 335


December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

Federal Government Outlines New Security and Attestation Requirements for Software

Per Executive Order 14028, Improving the Nation’s Cybersecurity, the Office of Management and Budget (OMB) issued a memorandum on September 14, 2022 requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the National Institute of Standards and Technology (NIST).

The new agency requirements will apply to third-party software used on government information systems or third-party software that otherwise “affects” government information. Specifically, agencies must require software producers to comply with two documents: (1) the NIST Secure Software Development Framework (NIST SP 800-218) and (2) the NIST Software Supply Chain Security Guidance (collectively, “NIST Guidance”). “Software,” as defined in the NIST Guidance, includes firmware, operating systems, applications, application services (e.g., cloud-based software), and products containing software. The requirements will apply to software developed after the effective date of the memorandum, and to existing software that is modified by any major version changes after September 14, 2022.

Agencies must require attestation from software producers in one of two ways:

  • Self-Attestation: Agencies, at a minimum, must require software producers to self-attest that their software complies with the NIST Guidance prior to agency use. The attestation is to be provided via a standard self-attestation form and must be retained by the agency, unless the software producer publicly posts the attestation. The memorandum allows agencies to accept a Plan of Action & Milestones (POA&M) from the software producer for secure development practices to which the software producer cannot attest.

  • Third-Party Assessment: Alternatively, agencies may accept a third-party assessment conducted by a certified FedRAMP Third Party Assessor Organization (3PAO) oran assessor approved by the agency. The NIST Guidance is to be used as the assessment baseline. Based on the criticality of the software, agencies may require a third party assessment in some cases.

Additionally, agencies may require software producers to provide artifacts demonstrating proof of the software development practices underlying the attestation. This could include a Software Bill of Materials (SBOM), evidence of participation in a Vulnerability Disclosure Program, or any other artifacts an agency deems necessary. 

The memorandum provides the following timeline for key milestones over the next year:

  • Agencies are to inventory their software within 90 days, separately identifying “critical software” (NIST’s definition of “critical software” is discussed here);

  • Agencies will develop a process to communicate requirements to software producers within 120 days (by January 12, 2023);

  • Agencies will begin collecting attestation letters for critical software within 270 days (by June 11, 2023);

  • Agencies will begin collecting attestation letters for all other software subject to the memorandum within 365 days (by September 14, 2023).

What contractors should do now. Contractors that produce or sell software to the government should prepare for the new security and attestation requirements. Software producers should take this time to evaluate their software and ensure compliance with the NIST Guidance. Software resellers should review their software offerings and consider reaching out to software producers for assurances that they will be able to meet the requirements. While the memorandum and Executive Order 14028 contemplate updates to the Federal Acquisition Regulation (FAR) relating to secure software development practices and associated attestation form, we have yet to see an open FAR case on this and contractors should not wait for that to happen. It is expected that agencies will begin incorporating language specifying new requirements in solicitations and contracts in accordance with the timelines outlined above.


Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 271

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Lauren Weiss Associate Washington D.C. Sheppard, Mullin, Richter & Hampton LLP

Lauren Weiss is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice Lauren’s practice focuses on government contracts litigation, investigations, and counseling matters including the following areas:  Cybersecurity counseling, Internal Investigations, Regulatory compliance,  Bid protests before the U.S. Government Accountability Office, Civil False Claims Act litigation defense, and Transactional due diligence.