Skip to content

Safe Software program Improvement Attestation:… | Fenwick & West LLP

TL:DR

On September 14, 2022, the Workplace of Administration and Price range (“OMB”) issued a memorandum on Enhancing the Safety of the Software program Provide Chain by Safe Software program Improvement Practices (“OMB Memo”) to assist guarantee software program safety. Whereas the OMB Memo offers path to companies, any firm that produces software program (outlined as firmware, working programs, purposes and utility companies, equivalent to cloud-based Software program as a Service, or merchandise that embody software program) and expects to license to authorities finish customers should:

  • Develop the software program in accordance with the Nationwide Institute of Requirements and Expertise (“NIST”) risk-based safe software program growth requirements,
  • Present a self-attestation, and
  • Produce, if requested, documentation equivalent to a software program invoice of supplies or participation in a vulnerability disclosure program.

These necessities apply to company (and contractor) use of developed software program, in addition to the usage of current software program that’s modified by main model adjustments, after September 14, 2022.

Background

Final 12 months, President Biden required federal companies to reinforce company cybersecurity capabilities and shield the nation’s essential software program provide chain. See Govt Order 14028 (“Cyber ​​EO”). The Cyber ​​EO tasked NIST with growing steerage on provide chain safety which NIST accomplished in February 2022. NIST developed and printed the NIST Steering consisting of: (1) the Safe Software program Improvement Framework (“SSDF”) Model 1.1 detailing safe software program growth finest practices , and (2) Provide Chain Safety Steering for federal companies on how you can procure software program, together with open-source software program and agency-developed software program.

Final week’s OMB Memo requires federal companies to adjust to the NIST Steering when utilizing third-party “software program” on the company’s data programs or in any other case affecting the company’s data.

What Should Firms Do:

If an organization develops and licenses “software program” outlined as firmware, working programs, purposes, and utility companies (equivalent to cloud-based Software program as a Service) or merchandise that embody software program to authorities entities then the corporate should decide if their software program growth course of meets the NIST Steering for safe software program growth.

Present a Self-Attestation

After analyzing the software program growth course of in opposition to the NIST Steering, the corporate should self-attest that it follows these safe growth practices – this self-attestation is the “conformance assertion” beneath the NIST Steering. If an organization can not present the attestation within the authorities’s requested format, it may possibly doc the way it will mitigate these dangers in a Plan of Motion & Milestones (“POA&M”). In lieu of self-attestation, corporations might also present assessments ready by licensed FedRAMP Third Social gathering Assessor Organizations (“3PAO”). Businesses might require a proper 3PAO evaluation relying on the criticality of the product.

The Federal Acquisition Regulatory Council will develop a uniform normal attestation type however till the ultimate rule comes out, any self-attestation should embody:

  • The Software program Producer’s identify
  • Probably the most inclusive description of the merchandise the assertion consists of (ideally companywide or product-line statements and all unclassified merchandise).
  • An attestation that the Software program Producer follows safe growth practices and duties as said within the attestation.

Doc your Software program Improvement

The OMB Memo explains that corporations might undergo federal companies artifacts that exhibit conformance to safe software program growth practices. Additional, the federal company might require a Software program Invoice of Supplies (“SBOM”) in solicitation necessities, based mostly on the criticality of the software program. In accordance with OMB, artifacts aside from the SBOM (eg., from the usage of automated instruments and processes which validate the integrity of the supply code and test for recognized or potential vulnerabilities) might also be required. Firms needs to be ready to supply these paperwork with solicitation responses and make sure that the gross sales crew is provided to reply questions relating to safe software program growth course of.

Key Takeaways

Firms offering software program or code to the federal government ought to:

  • Anticipate the federal government requirement: Due to the cascading influence, corporations ought to study the NIST Steering now to make sure that it follows the safe software program growth rules. Begin implementing any adjustments mandatory in the present day.
  • Put together for draft self-attestation: Whereas the FAR Council finalizes rulemaking, develop a self-attestation with the kind of data that the OMB Memo requires.
  • Pull your Software program Invoice of Supplies: As a result of federal contractors, together with commercial-off-the-shelf (“COTS”) corporations, will possible see these necessities constructed into solicitations and contract phrases, develop your SBOM now so you may have it prepared to answer the solicitations.
  • Take into account proactively publishing your self-attestation and SBOM: If potential, decide whether or not you may present your self-attestation and SBOM securely in your web site. (Nevertheless, DO NOT publicly publish your hole evaluation, danger mitigation plan, or POA&M.)
  • Consider how this requirement intersects extra broadly with different software program provide chain issues: Your organization might also need to deal with export controls relevant to your product and expertise, the overseas possession, management or affect (“FOCI”) components in sustaining a safety clearance or promoting to prospects within the protection/intelligence sector, and different federal procurement restrictions on sourcing software program elements or permitting its inspection in sure international locations equivalent to China or Russia. We will advise you on how you can strategically navigate all of these components collectively and implement inner controls that may fulfill all necessities directly.

Leave a Reply

Your email address will not be published.