Secure Software, Part 2: OMB Will Require Assurances from Software Producers

Recently, The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI), published new guidance for software developers to bolster software supply chain security (SSCS) (Part 1). Now the White House has weighed in on the topic to further move things forward.

The Office of Management and Budget (OMB) has directed federal departments and agencies to comply with federal software supply chain security guidance issued by the National Institute of Standards and Technology (NIST). The NIST guidance and OMB directive fulfill elements of the 2021 White House Executive Order on Improving the Nation’s Cybersecurity (EO 14028) to establish new requirements to secure the federal government’s software supply chain, including developing systematic reviews, process improvements, and security standards for software developers and suppliers as well as federal customers and acquisitions personnel.

The new OMB directive requires each federal agency to comply with NIST SSCS guidance “when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.” Further, “Federal agencies must only use software provided by software producers who can attest to complying with [NIST defined] secure software development practices.”

New Requirements Across the Software Supply Chain

The new OMB memo places requirements upon the following entities in the federal software supply chain (emphasis added).

Software Producers (i.e. vendors)

• Provide self-attestation to agencies attesting that the software producer follows secure development practices per NIST’s guidance and to serve as a “conformance statement.”
• Note: Vendors may be required to undergo third-party assessments, provide a Software Bill of Materials (SBOMs), or provide other artifacts that demonstrate conformance to secure software development practices. OMB provides agencies the leeway to make risk-based determinations to require artifacts beyond the self-attestation.

Federal Agencies

• Inventory all third-party software, including “critical software” (see OMB M-21-30 Protecting Critical Software Through Enhanced Security Measures) (within 90 days)
• Develop a consistent process to communicate relevant SSCS requirements to software vendors and ensure vendor attestation letters are collected in one central agency repository system (within 120 days)
• Collect attestation letters for “critical software” (within 270 days) and for all software (within 365 days)
• Assess training needs and develop training plans for the review and validation of software attestations and artifacts (within 180 days)
• Note: Agencies may request an extension or waiver for specific requirements up to 30 days before any relevant deadline.

OMB

• Post specific instructions for requesting waivers and extensions for agencies (within 90 days)
• Establish the requirements for a centralized repository for agency secure software attestations and artifacts (within 180 days)

CISA

• Establish a self-attestation common form incorporating the minimum elements of NIST’s SSDF (NIST 800-218) as identified by OMB. (within 120 days)
• Establish a program plan for a government-wide repository for software attestations and artifacts with appropriate mechanisms for information protection and sharing among Federal agencies (1-year from the establishment of OMB’s requirements)
• Demonstrate Initial Operating Capability (IOC) of the attestation and artifact repository (18 months after OMB’s requirements are established) and evaluate requirements for the Full Operating Capability (FOC) of an interagency repository (6 months later)

Implications

Efforts to harden the federal software supply chain continue to place requirements on software producers, federal customers, and the supporting industry partners that make up the federal software landscape. For example, OMB notes that “software,” for their purposes, “includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”

This broad scope covers a huge spectrum of products and services across the entire federal procurement landscape, not just what is traditionally considered software or IT. This is especially true as embedded technologies continue to expand into almost every area of daily operations.

OMB did provide some runway to ramping up these requirements by saying they “apply to agencies’ use of software developed after the effective date of this memorandum, as well as agencies’ use of existing software that is modified by major version changes.” So, it appears that software producers have until their next major version release to get their processes and artifacts in order before compliance is expected. That’s likely not that much time if the company has not already started down this road.