Per Executive Order 14028, Improving the Nation’s Cybersecurity, the Office of Management and Budget (OMB) issued a memorandum on September 14, 2022 requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the National Institute of Standards and Technology (NIST).
The new agency requirements will apply to third-party software used on government information systems or third-party software that otherwise “affects” government information. Specifically, agencies must require software producers to comply with two documents: (1) the NIST Secure Software Development Framework (NIST SP 800-218) and (2) the NIST Software Supply Chain Security Guidance (collectively, “NIST Guidance”). “Software,” as defined in the NIST Guidance, includes firmware, operating systems, applications, application services (e.g., cloud-based software), and products containing software. The requirements will apply to software developed after the effective date of the memorandum, and to existing software that is modified by any major version changes after September 14, 2022.
Agencies must require attestation from software producers in one of two ways:
Self-Attestation: Agencies, at a minimum, must require software producers to self-attest that their software complies with the NIST Guidance prior to agency use. The attestation is to be provided via a standard self-attestation form and must be retained by the agency, unless the software producer publicly posts the attestation. The memorandum allows agencies to accept a Plan of Action & Milestones (POA&M) from the software producer for secure development practices to which the software producer cannot attest.
Third-Party Assessment: Alternatively, agencies may accept a third-party assessment conducted by a certified FedRAMP Third Party Assessor Organization (3PAO) oran assessor approved by the agency. The NIST Guidance is to be used as the assessment baseline. Based on the criticality of the software, agencies may require a third party assessment in some cases.
Additionally, agencies may require software producers to provide artifacts demonstrating proof of the software development practices underlying the attestation. This could include a Software Bill of Materials (SBOM), evidence of participation in a Vulnerability Disclosure Program, or any other artifacts an agency deems necessary.
The memorandum provides the following timeline for key milestones over the next year:
Agencies are to inventory their software within 90 days, separately identifying “critical software” (NIST’s definition of “critical software” is discussed here);
Agencies will develop a process to communicate requirements to software producers within 120 days (by January 12, 2023);
Agencies will begin collecting attestation letters for critical software within 270 days (by June 11, 2023);
Agencies will begin collecting attestation letters for all other software subject to the memorandum within 365 days (by September 14, 2023).
What contractors should do now. Contractors that produce or sell software to the government should prepare for the new security and attestation requirements. Software producers should take this time to evaluate their software and ensure compliance with the NIST Guidance. Software resellers should review their software offerings and consider reaching out to software producers for assurances that they will be able to meet the requirements. While the memorandum and Executive Order 14028 contemplate updates to the Federal Acquisition Regulation (FAR) relating to secure software development practices and associated attestation form, we have yet to see an open FAR case on this and contractors should not wait for that to happen. It is expected that agencies will begin incorporating language specifying new requirements in solicitations and contracts in accordance with the timelines outlined above.