The Office of Management and Budget (OMB) today issued marching orders to Federal agencies to take action to comply with National Institute of Standards and Technology (NIST) guidance for the use of secure supply chain software, as ordered by President Biden’s cybersecurity executive order issued in May 2021.
The Sept. 14 memo from OMB Director Shalanda Young points Federal agencies to NIST’s Secure Software Development Framework and Software Supply Chain Security Guidance publications, with orders to comply with them and any subsequent updates from NIST.
The memo “requires each Federal agency to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.” It defines “software” to include “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”
Those requirements apply to agencies’ use of software developed after Sept. 14, and their use of existing software that has been modified by major version changes. The requirements do not apply to software developed by Federal agencies, although it says “agencies are expected to take appropriate steps to adopt and implement secure software development practices for agency-developed software.”
“Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance,” OMB said.
What’s Next for Agencies
OMB set out a number of steps for Federal agency chief information officers (CIOs) going forward, including:
- Obtaining self-attestations from software producers that they have implemented and will attest to conformity with security software development practices;
- Obtaining self-attestation for all third-party software used by the agency, including software renewals and major version changes;
- Encourage software producers to be “product inclusive so that the same attestation may be readily provided to all purchasing agencies”;
- If a software producer cannot attest to the NIST guidance, the agency must require the producer to identify practices to which it cannot attest, document risk mitigation practices, and require development of an action plan with milestones.
OMB said that the Federal Acquisition Regulatory Council plans to develop a standard self-attestation form. It also said agencies may require a software bill of materials (SBOM) in solicitation requirements, depending on the criticality of the software.
The OMB memo also provides a list of deadlines for agencies over the near term:
- Within 90 days, inventory all software subject to the memo, with a separate inventory for critical software;
- Within 120 days, develop “a consistent process to communicate relevant requirements in this memorandum to vendors, and ensure attestation letters not posted publicly by software providers are collected in one central agency system”;
- Within 270 days, collect attestation letter not publicly posted by software providers for critical software, and ensure they are collected in one central agency system;
- Within 365 days, collect attestation letters not publicly posted by software providers for all software subject to the OMB memo; and
- Within 180 days, assess organizational training needs and develop training plans for review and validation of full attestation documents and artifacts.
OMB said that agencies can request waivers to those deadlines, but only “in case of exceptional circumstances and for a limited duration.” Requests will be considered on a case-by-case basis.
Separately, OMB staked itself to a 180-day deadline to work with the General Services Administration (GSA) and the Cybersecurity and Infrastructure Security Administration (CISA) to propose requirements for a centralized repository for software attestations and artifacts, with mechanisms for protection and sharing among Federal agencies.
OMB gave CISA the tasks of developing a standard attestation common form, and a program plan for a government-wide repository.
Federal CISO Comments
Federal Chief Information Security Officer (CISO) Chris DeRusha said today that the OMB guidance will “ensure Federal agencies utilize software that has been built following common cybersecurity practices.”
“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” he said. “With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”
The Federal CISO recounted the 2020 SolarWinds supply chain hack that impacted government agencies and private sector companies, and President Biden’s cybersecurity executive order that responded to it.
OMB’s guidance, he said, “will ensure that millions of lines of code that underpin Federal agencies’ work are built with industry security standards in place.”
“The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the Federal government to quickly identify security gaps when new vulnerabilities are discovered,” DeRusha said.
Gordon Bitko, senior vice president of policy for public sector at the Information Technology Industry Council, said his group welcomed the OMB guidance, and called it “an important next step to advance President Biden’s historic cybersecurity executive order released last year.”
“We appreciate that the administration describes an implementation process and timeline for NIST guidance and prioritizes stakeholder feedback,” he said. “We further appreciate the standardization and centralization of reporting requirements, which will minimize the administrative cost.”
“Further, while SBOMs can be a useful tool to increase software transparency, there are implementation challenges that will need to be addressed in order for them to be effective,” Bitko said. “We look forward to working with the administration to address this guidance and continue the important effort to bolster U.S. cybersecurity.”
Paul Martini, chief executive officer at iboss, said, “Today’s guidance is another important step forward in ensuring a consistent approach to cybersecurity across agencies and vendors. By relying on frameworks from organizations such as the National Institute of Standards and Technology (NIST), the White House is helping strengthen the security of the software supply chain, which has been a key focus of the Biden administration.”
“Today’s guidance, combined with the past White House orders on critical issues such as Zero Trust Architecture as described in NIST 800-207, are creating a strong foundation that’s helping America improve its overall security posture,” he said.