Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Agencies will require software vendors to self-certify that they’re following secure development practices under new White House guidance, but it leaves the door open for departments to mandate third-party security assessments as well.
“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” DeRusha wrote. “With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”
The OMB memo requires agencies to ensure their software is developed in line with two documents published earlier this year by the National Institute of Standards and Technology: a “Secure Software Development Framework” (SSDF), as well as “Software Supply Chain Security Guidance.”
Crucially, the OMB memo only requires agencies to obtain a self-attestation from the software producer that it followed the NIST practices.
“A software producer’s self-attestation serves as a ‘conformance statement’ described by the NIST Guidance,” the OMB memo states. “The agency must obtain a self-attestation for all third-party software subject to the requirements of this memorandum used by the agency, including software renewals and major version changes.”
The OMB memo also allows for agencies to accept a “plan of action and milestones” from software vendors in cases where they can’t meet all of the NIST practices.
But OMB will allow agencies to set more stringent software security requirements if they see fit.
“Self-attestation is the minimum level required; however, agencies may make risk-based determinations that a third-party assessment is required due to the criticality of the service or product that is being acquired,” the memo states.
The requirements apply to agencies’ use of software developed after today’s memo, as well as any existing software that is modified by a major version change.
“These requirements do not apply to agency-developed software, although agencies are expected to take appropriate steps to adopt and implement secure software development practices for agency-developed software,” the memo adds.
DeRusha says the guidance was developed with input from the public and private sector, as well as academia. It builds on other Biden administration initiatives, like the federal zero trust strategy.
“The guidance released today will help us build trust and transparency in the digital infrastructure that underpins our modern world and will allow us to fulfill our commitment to continue to lead by example while protecting the national and economic security of our country,” he wrote in the blog post.
Henry Young, director of policy at industry group BSA, The Software Alliance, applauded the software security guidance.
“BSA is pleased to see OMB’s guidance includes many of the best practices contained in BSA’s 2019 Framework for Secure Software,” Young said. “We advocated that this guidance place similar secure development requirements on software developed by the U.S. government and will continue to support more deliberate and consistent requirements across the federal enterprise in future iterations.”
Key software security deadlines
Agencies have 90 days to inventory all their third-party software, including a separate inventory for “critical software,” according to the memo.
Within 120 days, agencies need to develop “a consistent process to communicate relevant requirements in this memorandum to vendors, and ensure attestation letters not posted publicly by software providers are collected in one central agency system.”
They have 270 days to collect attestation letters not posted publicly for “critical software.” Within one year, agencies should have collected the letters for all third-party software.
Agency chief information officers also have 180 days to “assess organizational training needs and develop training plans for the review and validation of full attestation documents and artifacts.”
OMB is also working with the Cybersecurity and Infrastructure Security Agency and General Services Administration over the next 180 days to establish requirements for a “centralized repository for software attestations and artifacts.”
CISA is also working on a standard self-attestation form that can be used by all agencies. And over the next year, CISA is required to come up with a plan for “a government-wide repository for software attestations and artifacts with appropriate mechanisms for information protection and sharing among Federal agencies,” the memo states.
Agencies that procure goods and services on behalf of other agencies, like the GSA, will be on the hook for including the software security requirements in contracts.
“An agency awarding a contract that may be used by other agencies is responsible for implementing the requirements of this memorandum,” the memo states.
The role of SBOMs
The memo also encourages, but does not require, agencies to obtain artifacts from software vendors “that demonstrate conformance to secure software development practices, as needed.” That can include a Software Bill of Materials, or an SBOM, an inventory of code used in a software application.
OMB is directing agencies to use SBOMs that conform with data formats established by the National Telecommunications and Information Administration report on SBOMs, or any future guidance published by CISA.
“Agencies shall consider reciprocity of SBOM and other artifacts from software producers that are maintained by other federal agencies, based on direct applicability and currency of the artifacts,” the memo states.
In addition to the software inventories, OMB suggests agencies could use evidence such as the vendor’s participating in a vulnerability disclosure program, or require confirmation that they use automated tools and processes to check their source code.
“Agencies are encouraged to notify potential vendors of requirements as early in the acquisition process as feasible, including leveraging pre-solicitation activities,” the memo states.