<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Deadline alert: OMB cybersecurity list of "critical software" due by Oct. 9

Amy Hays
by Amy Hays
on October 7, 2021

Don't miss the latest from Tidelift

Back in May, the U.S. White House released cybersecurity executive order 14028, an attempt by the government to use its buying power to prevent high profile breaches like the Colonial Pipeline ransomware attack and the SolarWinds software supply chain attack. 

We’ve discussed this topic extensively because it’s a huge deal and impacts organizations using open source to develop applications. A few weeks ago, Tidelift co-founder and CEO Donald Fischer discussed the details in a 30-minute briefing, explaining why organizations should care about this EO and noting some upcoming deadlines. 

Well, one of the more labor-intensive deadlines for U.S. federal agencies is upon us: in memorandum M-21-30, the Office of Management and Budget (OMB) indicated that agencies must “identify all agency critical software, in use or in the process of acquisition,” within 60 days of the memo, which is October 9, 2021.

Sounds like a lot, but the good news is that agencies don’t have to identify every piece of software by Oct. 9, just “critical software,” which includes network, system administration, security tools—oh, and “direct software dependencies.” 

Luckily, the Tidelift Subscription can help your organization with that—as part of the Tidelift free trial, you can download a software bills of material (SBOM) to meet that requirement. For more information on the topic, check out some of these resources below:

New call-to-action