The US OMB has launched new guidance on the prerequisites and procedures for federal agencies to acquire security guarantees from software vendors.
This builds upon President Joe Biden’s cybersecurity executive order from May 2021, with the OMB having issued a directive (M-22-18) last year necessitating software vendors to assure the security of their products.
The guarantees must cover all software developed after September 14, 2022, and even include software created before this date if it undergoes major updates or provides continuous service updates. At the very least, vendors must provide a self-attestation form, with the potential for further requirements such as a software bill of materials (SBOM), other artifacts, or running a vulnerability disclosure programme.
The most recent memorandum, M-23-16, reiterates the previous directives and extends the deadline for US federal agencies to receive attestations. Critical software attestations must now be received within three months after the Cybersecurity and Infrastructure Security Agency’s (CISA) M-22-18 attestation form is approved by OMB under the Paperwork Reduction Act (PRA). For other software, the attestation must be received within six months after the approval of the common form.
US federal agencies do not need to acquire attestations for third-party software components but must evaluate the risk of freely obtained and publicly available proprietary software, such as web browsers. Furthermore, attestations are required even for software modified, configured, or deployed by a contractor on behalf of an agency.
If a vendor cannot provide an attestation for their software, but offers documentation on non-compliant practices, federal agencies must notify OMB and request an extension to the attestation deadline. However, the agencies may continue using the software.
Copyright © 2023 RegTech Analyst
Copyright © 2018 RegTech Analyst
