On September 14, 2022, the Workplace of Administration and Finances (“OMB”) issued a memorandum on Enhancing the Safety of the Software program Provide Chain via Safe Software program Improvement Practices (“OMB Memo”) to assist guarantee software program safety. Whereas the OMB Memo gives path to businesses, any firm that produces software program (outlined as firmware, working methods, purposes and utility companies, similar to cloud-based Software program as a Service, or merchandise that embrace software program) and expects to license to authorities finish customers should:
- Develop the software program in accordance with the Nationwide Institute of Requirements and Know-how (“NIST”) risk-based safe software program growth requirements,
- Present a self-attestation, and
- Produce, if requested, documentation similar to a software program invoice of supplies or participation in a vulnerability disclosure program.
These necessities apply to company (and contractor) use of developed software program, in addition to the usage of current software program that’s modified by main model modifications, after September 14, 2022.
Final yr, President Biden required federal businesses to boost company cybersecurity capabilities and defend the nation’s essential software program provide chain. See Govt Order 14028 (“Cyber EO”). The Cyber EO tasked NIST with creating steering on provide chain safety which NIST accomplished in February 2022. NIST developed and revealed the NIST Steering consisting of: (1) the Safe Software program Improvement Framework (“SSDF”) Model 1.1 detailing safe software program growth greatest practices , and (2) Provide Chain Safety Steering for federal businesses on easy methods to procure software program, together with open-source software program and agency-developed software program.
Final week’s OMB Memo requires federal businesses to adjust to the NIST Steering when utilizing third-party “software program” on the company’s info methods or in any other case affecting the company’s info.
What Should Corporations Do:
If an organization develops and licenses “software program” outlined as firmware, working methods, purposes, and utility companies (similar to cloud-based Software program as a Service) or merchandise that embrace software program to authorities entities then the corporate should decide if their software program growth course of meets the NIST Steering for safe software program growth.
Present a Self-Attestation
After analyzing the software program growth course of towards the NIST Steering, the corporate should self-attest that it follows these safe growth practices – this self-attestation is the “conformance assertion” beneath the NIST Steering. If an organization can not present the attestation within the authorities’s requested format, it might doc the way it will mitigate these dangers in a Plan of Motion & Milestones (“POA&M”). In lieu of self-attestation, corporations may present assessments ready by licensed FedRAMP Third Social gathering Assessor Organizations (“3PAO”). Companies might require a proper 3PAO evaluation relying on the criticality of the product.
The Federal Acquisition Regulatory Council will develop a uniform commonplace attestation type however till the ultimate rule comes out, any self-attestation should embrace:
- The Software program Producer’s identify
- Essentially the most inclusive description of the merchandise the assertion contains (ideally companywide or product-line statements and all unclassified merchandise).
- An attestation that the Software program Producer follows safe growth practices and duties as said within the attestation.
Doc your Software program Improvement
The OMB Memo explains that corporations might undergo federal businesses artifacts that exhibit conformance to safe software program growth practices. Additional, the federal company might require a Software program Invoice of Supplies (“SBOM”) in solicitation necessities, based mostly on the criticality of the software program. In response to OMB, artifacts aside from the SBOM (eg., from the usage of automated instruments and processes which validate the integrity of the supply code and examine for recognized or potential vulnerabilities) may be required. Corporations must be ready to offer these paperwork with solicitation responses and be certain that the gross sales workforce is provided to reply questions concerning safe software program growth course of.
Corporations offering software program or code to the federal government ought to:
- Anticipate the federal government requirement: Due to the cascading influence, corporations ought to study the NIST Steering now to make sure that it follows the safe software program growth rules. Begin implementing any modifications mandatory in the present day.
- Put together for draft self-attestation: Whereas the FAR Council finalizes rulemaking, develop a self-attestation with the kind of info that the OMB Memo requires.
- Pull your Software program Invoice of Supplies: As a result of federal contractors, together with commercial-off-the-shelf (“COTS”) corporations, will possible see these necessities constructed into solicitations and contract phrases, develop your SBOM now so you’ve it prepared to reply to the solicitations.
- Think about proactively publishing your self-attestation and SBOM: If doable, decide whether or not you may present your self-attestation and SBOM securely in your web site. (Nevertheless, DO NOT publicly submit your hole evaluation, threat mitigation plan, or POA&M.)
- Consider how this requirement intersects extra broadly with different software program provide chain concerns: Your organization may need to deal with export controls relevant to your product and know-how, the overseas possession, management or affect (“FOCI”) elements in sustaining a safety clearance or promoting to prospects within the protection/intelligence sector, and different federal procurement restrictions on sourcing software program parts or permitting its inspection in sure nations similar to China or Russia. We will advise you on easy methods to strategically navigate all of these elements collectively and implement inner controls that may fulfill all necessities without delay.