“We want everybody to be truly adopting secure development practices, not for the sake of adopting them, but because security is an enabler to our future in future of everything digital. If we don’t build secure software, it’s not going to do what we want it to do. That’s the whole point,” DeRusha said in an exclusive interview with Federal News Network. “We really just want to ensure that people are thinking about this that way, this is something that that they want and need and is good for them. It’s not a new compliance requirement. That isn’t going to have any value or benefit, and I think that just having the right mentality and taking the time, if you do already understand that and live that ethos, to help share that with others in your organization so that they don’t look at it as something new and burdensome.”
This is part of the reason why OMB decided to take the common refrain of “crawl, walk and run” to roll out the software security requirements.
This is also part of the reason why four industry associations are pushing back against the House version of the fiscal 2023 defense authorization bill that includes a provision to require the Department of Homeland Security to require issue guidance for all new and current contracts that would require vendors to provide “the bill of materials used for such contract, upon the request of such officer; and the certification and notifications” that submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service, particularly those in the vulnerability databases run by the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency.
NIST guidance still new to many
DeRusha said NIST’s software supply chain guidance from February lays a solid foundation that OMB’s memo builds upon, but for many agencies overseeing and understanding how to buy secure software still is in the early stages.
This is also a big reason why OMB decided to require software companies to self-attest to meeting the requirements in NIST’s guidance.
“I think this is the right way to start with something as new as the Secure Software Development Framework, as everybody’s learning the tech signs around that, as folks are learning how to do a sound third-party assessment on all those practices. There’s some new practices in there, again, already mentioned one software bill of materials (SBOM) and that’s in this framework,” DeRusha said. “As we know, it’s something that’s still really maturing and being built out so how do you assess what is good? That’s a question that is being answered as we go. So with the approach maturing among agencies, the readiness to ensure that these requirements are being followed is something that we want to make sure that we’re learning all the lessons as we get into it.”
DeRusha readily admitted that the self-attestation requirement comes with some risks. He said one big one is creating a compliance mentality among agencies and vendors.
And as the federal community, and particularly the Defense Department, saw with NIST’s guidance around controlled unclassified information (CUI) under Special Publication 800-171, self-attestation doesn’t always lead to successful protection of data or networks.
A recent survey by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) found out of 300 assessments it did over the last few years, only 25% of the companies were compliant with the 110 requirements in SP-800-171.
Software ecosystem isn’t ready
In the memo, OMB said the self-attestation is the floor for software security oversight. DeRusha said if there is a situation where agencies feel the need to bring in a third-party, such as those companies under the Federal Risk Authorization Management Program (FedRAMP), they are encouraged to mitigate the risks.
“This approach is really allowing us to learn where the gaps are and, and keep moving,” he said. “We’re going to be situated because there will be Federal Acquisition Regulations (FAR) rules that come out and there’s going to be binding requirements on all federal contracts around these practices. It’s going to take some time and this memo is really about getting agencies focused and learning in maturing their practices, so that when those become requirements everywhere, we will have learned a lot and be more mature and ready for that moment.”
DeRusha added because the NIST standards are only a few months old. it didn’t make sense to make adherence obligatory and provable.
“I’m not really sure the ecosystem has been developed around supporting having compulsory requirements for third party assessments in every instance,” he said. “We still have to get the attestation form printed through Paperwork Reduction Act (PRA) and public comments, and out as a standard, right. There’s just so many building blocks and pieces that need to come. We’re just being responsible about the rollout.”
DeRusha said OMB will continue to work with the CIO, CAO and other councils to ensure the memo’s deadlines are understood and met.