Office of Management and Budget (OMB) issued a memorandum dated September 14, 2022, Subject Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. This is a result of the President’s Executive Order on Improving the Nation’s Cybersecurity.
OMB is requiring Federal agencies to comply with additional NIST requirements. The new requirements which OMB has defined as “NIST guidance” represents the foundation for developing secure software and is comprised of the following two documents:
- NIST Secure Software Development Framework (SSDF) SP 800-218
- NIST Software Supply Chain Security Guidance
While this guidance is directed to Federal agencies, the implementation of these requirements will have a significant impact on companies that supply software to the federal government or products that include software.
What Can a Software Developer Expect?
While the effective date of the change is September 14, 2022, Federal Agencies are given a timeline by OMB to inventory and identify all software including critical software by mid December 2022.
Agencies are required to communicate with software providers once they identify the software products that they find critical. OMB has placed a very wide definition on software to include the following:
- Operating systems
- Applications services (e.g., cloud-based software)
- Products containing software
Companies should be on the lookout for a notification, as the next step for Federal agencies is to require software providers and developers to provide a self-attestation prior to being awarded future federal contracts. Since there is no contract clause for this requirement, companies may see this pop up as a special clause or requirement in a solicitation.
Where Can I Find the Self-Attestation Form?
A self-attestation form hasn’t been developed yet. The FAR Council is working on developing a uniform standard self-attestation form. But OMB has stated that the self-attestation must include the following information:
- Software Developers name
- Description of product (e.g., product line level)
- Statement that the Software developer follows secure development practices and tasks that are itemized in the self-attestation form
What is a Task?
It is not defined. Companies will need to decipher which practices in the “NIST Guidance” documents are relevant to mitigate threats to the software development practices and include them in their assessment. Hopefully guidance will be included in the self-attestation form that the FAR council is working on.
Companies should be on the lookout for a notification from the government, in which they are providing software or providing products that contain software, before the end of December 2022. If you are notified, pay careful attention to the requirements for a self-attestation as it may be a requirement in a solicitation you are responding to. At the present time, there is no standard attestation form or specific direction to the contractors.
Redstone GCI can provide our clients with more information and guidance in working with established industry leading partners who can assist in fulfilling numerous cybersecurity compliance requirements including but not limited to penetration testing, incident response, security assessments and POA&M revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cybersecurity policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.