Recent Supply Chain Security Guidance Impacts the Federal Software Market

The May 2021 Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity is a broad-sweeping White House directive that impacts federal cybersecurity practices, contract requirements and supplier practices. One key aspect of the EO addresses improving Software Supply Chain Security (SSCS).

Provisions in the EO directed the National Institute of Standards and Technology (NIST) to publish guidance on practices for SSCS and for federal agencies to comply with the published guidance when procuring software or a product containing software.

Federal Supply Chain Security – Background

Scrutiny of the federal supply chain and efforts to address concerns has been growing for years. In 2012, NIST published a Notional Supply Chain Risk Management Practices for Federal Information Systems to help agencies manage risks associated with the purchase and implementation information and communications technologies (ICT) products and services. More recently, in February 2021 NIST published key practices in Cyber Supply Chain Risk Management (C-SCRM) to offer some best practices on how businesses may mitigate risk.

NIST SSCS Guidance Supporting EO 14028 Provisions

In pursuit of the EO’s SSCS directives, NIST solicited community input and held two open workshops as they developed new or updated guidance. The following three guidance documents support both sides of the federal software market – producers/suppliers and federal buyers.

• Software Producer Guidance: In February 2022 NIST updated their existing SP 800-218, Secure Software Development Framework (SSDF) Version 1.1 to fully address SSCS provisions in the EO from a software producer viewpoint, i.e. practices, actions or outcomes software producers should address to enhance the security of their software.
• Agency Procurement Guidance: In February 2022 NIST also published guidance providing baseline recommendations to federal agencies on ensuring that the producers of software (or products containing software) which agencies procure have been following a risk-based approach for secure software development throughout the software life cycle. Agencies may have more stringent requirements as needed.
• Deeper Supply Chain Risk Management: In May 2022 NIST published SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations to provide guidance to agencies, producers, suppliers and service providers, etc. on mitigating supply chain cybersecurity risks, addressing more stringent agency requirements not sufficiently covered by the baselines in the February guidance.

Software Supplier Impacts

Software suppliers providing their products to federal agencies for procurement will be required to provide a conformance statement attesting that their software development processes follow government-specified SSDF practices. But the requirements do not stop there. Resellers of software products should ensure that they can provide a reference to the software producer’s conformance statement for each software they resell.

Further, the scope of NIST’s February 2022 agency procurement guidance noted above “includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. … Open-source software that is bundled, integrated, or otherwise used by software purchased by a federal agency is [also] in scope.”

The end result is that software producers will need to increase both their secure software development processes and their documentation of those processes. Suppliers of products that include covered software will need to obtain and manage conformance documentation from their component software suppliers so that they may provide this documentation to their federal customers.

Ideally, the end result will be more secure software with limited cost impacts associated with the supporting processes.