White House extends secure software attestation deadlines, offers clarifying guidance

The White House Office of Management and Budget is extending the deadline for when agencies have to start collecting software security attestation forms from contractors.

In a memo released today, OMB directs agencies to begin collecting attestations for “critical software” no later than three months after the Cybersecurity and Infrastructure Security Agency’s common attestation form is finalized under the Paperwork Reduction Act.

Agencies have six months from the form’s finalization to start collecting attestations for all third-party software covered by OMB’s security requirements.

The previous deadlines for collecting attestation forms, under a White House memo issued last September, were going to be June 12 for critical software and Sept. 14 for all software.

There isn’t a set date for when the administration is expected to finalize the secure attestation form.

CISA published a draft version of the “Secure Software Self-Attestation Form” expected to be used by all agencies in late April. The agency is accepting comments on the form through June 26. But the release date of the draft form raised questions about whether OMB would hold to the original deadlines.

The form is a crucial piece of the Biden administration’s push to ensure agencies only use securely developed software. Agencies will require software vendors to fill out the form and self-attest to following secure development practices outlined by the National Institute of Standards and Technology.

The requirements stem from the May 2021 cybersecurity executive order and efforts to improve security after a 2020 incident where several agencies and large corporations were compromised by malicious code that was added into SolarWinds software.

Once finalized, agencies across government are expected to use the form to meet the OMB requirements. The form will have to be signed by a company’s chief executive officer or a designated employee.

Jason Weiss, the former Defense Department Chief Software Officer and co-founder of Digital Triad Group, said the changes OMB provided on Friday show the government is “serious” about its software security push.

“They have listened to industry, provided clarifying scope, and we can see in this new memo how the administration continues to take steps to re-balance cybersecurity risk by placing the burden on the software producer,” Weiss told Federal News Network.

The OMB memo clarifies that agencies only have to collect attestations from the “producer of the software end product,” as that organization is “best positioned to ensure its security.”

“Accordingly, agencies are not required to collect attestations from producers of third-party software components that are incorporated into the software end product used by the agency,” the memo states. “This is true for both third-party open-source and proprietary components. A component, whether open source or proprietary, only qualifies as a ‘third-party’ component if it was developed by an entity other than the producer of the software end product into which it is incorporated.”

Weiss said the clarification shows the administration is continuing to apply the model used for automobile safety to the world of software.

“Whoever performs the final assembly of the software application is on the hook for the attestation, not the underlying suppliers,” Weiss said. “The brake company doesn’t attest to the buyer that the brakes are sufficient for the size and weight of the vehicle – the vehicle manufacturer does.”

Furthermore, “the government won’t need to collect 100 attestations for a single application, but instead one from the software vendor that does the final assembly of that software,” Weiss added.

Meanwhile, the memo makes clear software resellers also won’t have to provide an attestation, a boon for partner networks common in the world of cloud and modern IT applications. “This is a very powerful and much needed clarification,” Weiss said.

OMB also clarifies that agencies aren’t required to collect attestations for products that are proprietary but are “freely obtained and publicly available.”

“A significant number of core software applications, such as web browsers, to which federal agencies must have access are offered for use to members of the public at no cost,” the memo continues. “Users of this software have no opportunity to negotiate with the producer, and therefore it will not be feasible for agencies to obtain attestations from the producers of such software. Agencies are, nevertheless, required to assess the risk in utilizing such software and take appropriate steps to minimize or eliminate identified risks.”

Meanwhile, agency-developed software also remains outside the scope of the attestation mandate, but the memo clarifies that contracting agencies still need to ensure that software developed under a federal contract follows NIST’s Secure Software Development Framework.

“If there are questions regarding whether software developed by federal contractors should be considered agency-developed, agency [chief information officers] are required to make that determination on behalf of the agency,” the memo states. “Agency CIOs are in the best position to determine in a given case whether the agency’s specification and supervision of contract performance meet the standard articulated above.

In those cases, Weiss said he believes there will be “tremendous pressure” on agency CIOs to require contractors to attest to the secure software development framework.

“Any failure to pass this requirement on creates tremendous risk for the agency CIOs, and we are operating in an era of intense focus on reducing the risk to the government’s operational environment,” he said. “I’d be shocked if an agency CIO were to disregard the applicability of SSDF across the agency’s contractor base because it would send the message that ‘We don’t care if our software is secure.'”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.