The Office of Management and Budget (OMB) has issued a memo requiring US federal government agencies to use software that has been built according to secure software development practices and whose developers follow practices for software supply chain security, as specified by the National Institute of Standards and Technology (NIST).
“The term ‘software’ for purposes of this memorandum includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software,” the memo spells out.
“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” said Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director.
“With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”
The agencies have been given a roadmap of how to implement the requirements laid out in the memo, and by when:
- They must inventory all software (within 90 days)
- Their CIOs must communicate the requirements to vendors and ensure attestation letters are collected in one central agency system (within 120 days)
- They must collect attestation letters for “critical software” (within 270 days)
- They must collect attestation letters for all software subject to the requirements of the memo (within 365 days), and
- Their CIOs must assess training needs and develop training plans for the review and validation of software attestations and artifacts (i.e., a software bill of materials) (within 180 days)
“Agencies are required to obtain a self-attestation from the software producer before using the software,” the memo says, and “if the software producer cannot attest to one or more practices from the NIST Guidance identified in the standard self-attestation form, the requesting agency shall require the software producer to identify those practices to which they cannot attest, document practices they have in place to mitigate those risks, and require a Plan of Action & Milestones (POA&M) to be developed.”
If a self-attestation cannot be produced by the software producer – e.g., in case of open source software or products incorporating open source software – an attestation by a third-party assessment provided by either a certified FedRAMP Third Party Assessor Organization (3PAO) or one approved by the agency must be obtained.
The attestation requirements don’t apply to software developed by the agencies themselves, but the agencies are expected to implement secure software development practices.
The requirements will help raise software security for all
The memo is aimed at avoiding incidents like the 2020 SolarWinds hack, when attackers breached several US federal agencies via compromised SolarWinds Orion software.
It’s part of the realization of a plan laid out in President Joe Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, which includes steps for working towards modernizing federal government cybersecurity and enhancing software supply chain security.
While this memo applies only to US federal agencies and executive departments, it will surely lead to a positive impact for the public and private sector in the US and around the world as well, since most of the software and solutions in question are widely used.