Today we continue our series (see here and here) with the Office of Management and Budget’s September 2022 memorandum requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the NIST. The new requirements will apply to any third-party software that is used on government information systems or that otherwise “affects” government information. You can read our article about the guidance here.

The FAR Council is currently drafting a proposed FAR rule addressing Supply Chain Software Security to integrate these requirements into federal contracts.

Putting it Into Practice – What to expect in 2023: OMB’s guidance provided a timeline for agency adoption of these requirements and when requirements will be communicated to software producers. We expect agencies will begin communicating requirements in early 2023 and begin collecting attestation letters for critical software this summer. Software producers should evaluate their software against the NIST guidance. For federal contractors and software resellers, the impact and scope of these requirements remains unclear, but we anticipate additional guidance in 2023.