Yesterday the White House Office of Management and Budget issued guidelines (the “Guidelines”) requiring all federal agencies to buy and use software that comply with “secure development practices” developed by the National Institute of Standards and Technology (“NIST”). The Guidance follows an Executive Order (“EO”) of May 2021 on improving cybersecurity across government agencies and is congruent with a broader trend of privacy and cybersecurity being a top of mind issue for federal government stakeholders. A press release from the White House explained that “[b]y strengthening our software supply chain through secure software development practices, we are building on the Biden-Harris Administration’s efforts to modernize agency cybersecurity practices, including our federal ‘zero trust’ strategy, improving our detection and response to threats, and our ability to quickly investigate and recover from cyber-attacks.”
EO 14028, Improving the Nation’s Cybersecurity, (dated May 12, 2021), addressed the security and integrity of the software supply chain and underscored the vital importance of secure software development environments. EO 14028 directed NIST to issue guidance “identifying practices that enhance the security of the software supply chain.” The Guidelines refer to (1) the NIST Secure Software Development Framework (SSDF), SP 800-218, and the (2) NIST Software Supply Chain Security Guidance (collectively, the “NIST Guidance”) as including specified practices that create a foundation for developing secure software.
The Guidelines require federal agencies to comply with NIST Guidance “when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.” This includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. The Guidelines exempt agency-developed software, although cautions that agencies are nevertheless expected to adopt secure software development practices for agency-developed software.
As set forth in the Guidelines, federal agency Chief Information Officers (CIOs), in conjunction with others, must take certain steps to ensure software producers have implemented and will attest to conformity with secure software development practices. This includes, as specified in greater detail in the Guidelines:
- Consistent with the NIST Guidance and by the timelines identified in the Guidelines, agencies are required to obtain a self-attestation from a software producer before using the software.
- Agencies may obtain from software producers artifacts that demonstrate conformance to secure software development practices, as needed.
This development is part of a continued federal response to foreign governments and cybercriminals seeking to compromise digital infrastructure in the U.S. The Guidelines were issued in response to “a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector.”