Office of Management and Budget (OMB) issued a memorandum dated September 14, 2022, Subject Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. This is a result of the President’s Executive Order on Improving the Nation’s Cybersecurity.
OMB is requiring Federal agencies to comply with additional NIST requirements. The new requirements which OMB has defined as “NIST guidance” represents the foundation for developing secure software and is comprised of the following two documents:
- NIST Secure Software Development Framework (SSDF) SP 800-218
- NIST Software Supply Chain Security Guidance
While this guidance is directed to Federal agencies, the implementation of these requirements will have a significant impact on companies that supply software to the federal government or products that include software.
What Can a Software Developer Expect?
While the effective date of the change is September 14, 2022, Federal Agencies are given a timeline by OMB to inventory and identify all software including critical software by mid December 2022.
Agencies are required to communicate with software providers once they identify the software products that they find critical. OMB has placed a very wide definition on software to include the following:
- Firmware
- Operating systems
- Applications
- Applications services (e.g., cloud-based software)
- Products containing software
Companies should be on the lookout for a notification, as the next step for Federal agencies is to require software providers and developers to provide a self-attestation prior to being awarded future federal contracts. Since there is no contract clause for this requirement, companies may see this pop up as a special clause or requirement in a solicitation.
Where Can I Find the Self-Attestation Form?
A self-attestation form hasn’t been developed yet. The FAR Council is working on developing a uniform standard self-attestation form. But OMB has stated that the self-attestation must include the following information:
- Software Developers name
- Description of product (e.g., product line level)
- Statement that the Software developer follows secure development practices and tasks that are itemized in the self-attestation form
What is a Task?
It is not defined. Companies will need to decipher which practices in the “NIST Guidance” documents are relevant to mitigate threats to the software development practices and include them in their assessment. Hopefully guidance will be included in the self-attestation form that the FAR council is working on.
Companies should be on the lookout for a notification from the government, in which they are providing software or providing products that contain software, before the end of December 2022. If you are notified, pay careful attention to the requirements for a self-attestation as it may be a requirement in a solicitation you are responding to. At the present time, there is no standard attestation form or specific direction to the contractors.
Redstone GCI can provide our clients with more information and guidance in working with established industry leading partners who can assist in fulfilling numerous cybersecurity compliance requirements including but not limited to penetration testing, incident response, security assessments and POA&M revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cybersecurity policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting