On September 14, 2022, the Executive Office of the President, Office of Management and Budget (OMB) released memorandum M-22-18 on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, a direct follow-up to White House Executive Order 14028. It formalizes the NIST guidance provided in the NIST Secure Software Development Framework and NIST Software Supply Chain Security Guidance documents as the government requirements for developing secure software, and mandates federal government agencies comply with these guidelines.
Since creating this post, in June 2023, the OMB released memorandum M-23-16 as an update to the original guidance provided in M-22-18. Memorandum M-23-16 extends the dates for compliance by a minimum of 3 months for critical software and 6 months for all other software.
Critical dates from M-22-18
M-22-18 also sets aggressive deadlines for compliance for several key role players: the federal agencies who procure software and services, organizations that produce and sell software to federal agencies, as well as CISA and NIST. Summarized here are important dates for action items applicable to various organizations (some of which have already passed):
December 13, 2022: By this date, federal agencies will have inventoried all software subject to OMB memorandum M-22-18 and flagged software deemed as critical.
December 13, 2022: OMB will post specific instructions for submitting requests for waivers or extensions to the MAX.gov link.
January 12, 2023: By this date, federal agencies will develop a process to communicate requirements to vendors and ensure that vendor attestation letters can be collected in a central agency system.
January 12, 2023: CISA, in consultation with OMB, will establish a standard self-attestation “common form” for Paperwork Reduction Act (PRA) clearance that is suitable for use by multiple agencies.
March 13, 2023: By this date, federal agencies will have assessed training needs and developed plans for the review and validation of attestation documents.
March 13, 2023: OMB, in consultation with CISA and the General Services Administration (GSA), will establish requirements for a centralized repository for software attestations and artifacts, with appropriate mechanisms for protection and sharing among Federal agencies.
NEW April 27, 2023: CISA proposes a draft self-attestation form and provides a 60 day window for public feedback on the draft.
June 11, 2023: By this date, federal agencies will require self-attestations from software producers for critical software they use.
NEW June 26, 2023: Deadline for public feedback on the proposed CISA attestation form. (M-23-16)
September 14, 2023: By this date, federal agencies will require self-attestations from all other providers of software they use.
September 14, 2023: CISA, in consultation with GSA and OMB, will establish a program plan for a government-wide repository for software attestations and artifacts with appropriate mechanisms for information protection and sharing among Federal agencies.
NEW 3 months from OMB approval of attestation form: By this time, agencies must collect attestations for critical software subject to the requirements of M-22-18 and M-23-16. (M-23-16)
NEW 6 months from OMB approval of attestation form: By this time, agencies must collect attestations for all software subject to the requirements delineated in M-22-18. (M-23-16)
March 14, 2024: CISA will demonstrate an Initial Operating Capability (IOC) of the repository.
September 14, 2024: CISA will evaluate requirements for the Full Operating Capability (FOC) of a Federal interagency software artifact repository through traditional OMB processes.
NEW Within 1 year issuance of memorandum: OMB will begin to collect metrics on agency approval of POA&Ms, as well as the number of extensions and waivers in place at each agency. (M-23-16)
As appropriate: CISA will publish updated SBOM guidance for Federal agencies.
As appropriate: NIST will update SSDF guidance.
Note that organizations will be required to self-attest that their software meets NIST self-attestation requirements as early as June 2023 (for critical software) and no later than September 2023 (for all other software).
NEW An update with M-23-16: Assuming the CISA form is approved without delay, mandatory attestation compliance dates will likely fall somewhere around late 2023 for critical software, and early 2024 for all other software.
What is an attestation?
Attestation is the “issue of a statement, based on a decision, that fulfillment of specified requirements has been demonstrated.”
In this case, organizations selling software to the government will be required to self-attest that they conform with all of the secure software development standards outlined in the NIST guidelines.
Source: Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e
The above dates are likely only one piece of the U.S. government’s strategy for improving national cybersecurity outcomes. We recommend that organizations selling software or solutions to the government that include open source software components make note of these dates and start to assess how they can be compliant with the various requirements proposed in the timeline above.
Questions you may want to begin asking within your organization:
- Are we using open source components in the applications we provide to the government today?
- If so, how do we plan to attest to the security practices followed by the independent open source maintainers of these components?
- If we consider open source a critical component in our software supply chain, what is our business / contractual relationship with maintainers, i.e. why should they do this security work for us?
- If we do not have an open source self-attestation strategy, how will we comply with new government guidelines?
Tidelift’s unique people and software approach to address these needs
Tidelift partners directly with the independent maintainers behind thousands of the most widely used open source packages to help ensure their packages meet critical federal and industry standards. We analyze and aggregate the most meaningful standards (from multiple sources, including NIST, OpenSSF, SLSA and others) and pay open source maintainers to ensure their packages meet these standards.
Through exclusive partnerships with open source maintainers, Tidelift is able to provide contextually relevant, human verified data open source package information that organizations can use to make decisions about their self attestations.
Be sure to bookmark the government open source cybersecurity resource center to keep abreast of the latest information and details, including upcoming deadlines and more information on how these regulations impact organizations developing applications with open source.