OMB memorandum works on enhancing security of software supply chain while complying with NIST guidance

The Office of Management and Budget (OMB) published Wednesday a memorandum that focuses on enhancing the security of the software supply chain through secure software development practices. The OMB memorandum builds on U.S. President Joe Biden’s Executive Order 14028 released last May, which focuses on the security and integrity of the software supply chain, emphasizing the importance of secure software development environments.

The memorandum said that the EO directs the National Institute of Standards and Technology (NIST) to issue guidance ‘identifying practices that enhance the security of the software supply chain.’ Additionally, the NIST Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Security Guidance include a set of practices that create the foundation for developing secure software. The EO also directs the OMB) to require agencies to comply with such guidelines, and “this memorandum requires agencies to comply with the NIST Guidance and any subsequent updates,” it added. 

The OMB memorandum addressed to the heads of executive departments and agencies will have a bearing across all federal agencies when they acquire any third-party software on the agency’s information systems. Additionally, companies that supply software to U.S. federal agencies should take note of the development as it applies to both current, as well as new acquisition contracts for third-party software products. 

The document comes at a time when the global supply chain has been facing relentless threats from nation states and criminal actors seeking to steal sensitive information and intellectual property, compromise the integrity of government systems, and conduct other acts that impact the U.S. government’s ability to provide services to the public, it added. 

“Consistent with these authorities and the directives of EO 14028, this memorandum requires each Federal agency to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information,” the memorandum said. 

The document also includes certain conditions that apply to the requirements of this memorandum. “These requirements apply to agencies’ use of software developed after the effective date of this memorandum, as well as agencies’ use of existing software that is modified by major version changes (e.g., using a semantic versioning schema of Major.Minor.Patch, the software version number goes from 2.5 to 3.0) after the effective date of this memorandum,” it added. 

Additionally, these requirements do not apply to agency-developed software, although agencies are expected to take appropriate steps to adopt and implement secure software development practices for agency-developed software, the memorandum said. “An agency awarding a contract that may be used by other agencies is responsible for implementing the requirements of this memorandum,” it added.

The OMB memorandum said that ensuring software integrity is key to protecting federal systems from threats and vulnerabilities and reducing overall risk from cyber-attacks. It called upon federal agencies to only use the software provided by software producers who can attest to complying with the government-specified secure software development practices, as described in the NIST guidance. 

The NIST guidance provides ‘recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development.’

The memorandum, in accordance with EO 14028 and the NIST guidance, calls upon agency chief information officers (CIOs) in coordination with requiring offices and chief acquisition officers (CAOs) to take upon a couple of measures to ensure software producers have implemented and will attest to conformity with secure software development practices. 

Consistent with the NIST guidance, agencies are required to obtain a self-attestation from the software producer before using the software, the OMB memorandum said. “A software producer’s self-attestation serves as a ‘conformance statement’ described by the NIST Guidance. The agency must obtain a self-attestation for all third-party software subject to the requirements of this memorandum used by the agency, including software renewals and major version changes,” it added. 

It also added that agencies may obtain from software producers artifacts that demonstrate conformance to secure software development practices, as needed. Furthermore, compliance with the EO and NIST guidance requires that agencies engage in appropriate planning. 

“As agencies develop requirements that include the use of new software, they must request confirmation that the software producer utilizes secure software development practices,” the memorandum said. “This could be accomplished through specification of these requirements in the Request for Proposal (RFP) or other solicitation documents, but regardless of how the agency ensures compliance, the agency must ensure that the company implements and attests to the use of secure software development practices consistent with NIST Guidance, throughout the software development lifecycle,” it added.

The OMB memorandum said that agencies must within 90 days of the date of the memorandum, inventory all software subject to the requirements of this memorandum, with a separate inventory for ‘critical software.’ It also laid down that within 120 days of the date of the memorandum, agencies shall develop a consistent process to communicate relevant requirements in the memorandum to vendors, and ensure attestation letters not posted publicly by software providers are collected in one central agency system. 

Additionally, agencies shall collect attestation letters not posted publicly by software providers for ‘critical software’ subject to the requirements of the memorandum within 270 days after publication of the OMB memorandum. Agencies shall also collect attestation letters not posted publicly by software providers for all software subject to the requirements of this memorandum within 365 days after publication of this memorandum, and within 180 days of the date of the memorandum, agency CIOs, in coordination with the agency requiring activities and agency CAOs, shall assess organizational training needs and develop training plans for the review and validation of full attestation documents and artifacts. 

Agencies may request an extension for complying with the requirements of the OMB memorandum. “The extension request shall be submitted to the Director of OMB and must be transmitted 30 days before any relevant deadline in this memorandum and accompanied by a plan for meeting the underlying requirements,” it added.

The OMB memorandum stipulates that agencies may request a waiver—only in the case of exceptional circumstances and for a limited duration—for any specific requirement(s) of this memorandum. “The waiver request must be submitted to the Director of OMB and must be transmitted 30 days before any relevant deadline in this memorandum and accompanied by a plan for mitigating any potential risks. The Director of OMB, in consultation with the Assistant to the President and National Security Advisor (APNSA), will consider granting the request on a case-by-case basis. Specific instructions for submitting requests for waivers will be posted in MAX at this URL.” 

The OMB must within 90 days from the date of the memorandum post specific instructions for submitting requests for waivers or extensions to the above MAX.gov links. “Within 180 days from the date of this memorandum, OMB, in consultation with CISA and the General Services Administration (GSA), will establish requirements for a centralized repository for software attestations and artifacts, with appropriate mechanisms for the protection and sharing among Federal agencies,” it added. 

The CISA shall within 120 days from the date of the memorandum, in consultation with OMB, establish a standard self-attestation ‘common form’ for Paperwork Reduction Act (PRA) clearance that is suitable for use by multiple agencies. “Within 1 year from OMB’s establishment of requirements, CISA, in consultation with GSA and OMB, will establish a program plan for a government-wide repository for software attestations and artifacts with appropriate mechanisms for information protection and sharing among Federal agencies,” the memorandum added. 

Further, within 18 months from OMB’s establishment of requirements, CISA will demonstrate an Initial Operating Capability (IOC) of the repository. “Within 24 months from OMB’s establishment of requirements, CISA will evaluate requirements for the Full Operating Capability (FOC) of a Federal interagency software artifact repository through traditional OMB processes. CISA will publish updated guidance on Software Bill of Materials (SBOM) for Federal agencies, as appropriate,” it added. 

The OMB memorandum also called upon the NIST to update SSDF guidance as appropriate.

The CISA rolled out the 2023-2025 Strategic Plan this week, its initial comprehensive plan of action to focus on and guide the agency’s efforts over the next three years. The Strategic Plan communicates the agency’s mission and vision promotes the unity of effort across the agency and partners, and defines success for CISA as an agency.

Earlier this month, the CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released actionable guidance for software supply chain development, production, distribution, and management processes, to increase the resiliency of these processes against compromise. All organizations have a responsibility to establish software supply chain security practices to mitigate risks. Still, the organization’s role in the software supply chain lifecycle determines the shape and scope of the responsibility.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.