How to meet impending government self-attestation deadlines for open source software

On September 14, 2022, the Executive Office of the President, Office of Management and Budget released memorandum M-22-18, a direct follow-up to White House Executive Order 14028. The memorandum formalizes the secure software development practices defined in the NIST Secure Software Development Framework (SSDF), and requires that organizations selling software to the U.S. government attest that they follow the NIST software supply chain security guidance. As most modern applications consist of an average of 70% open source components, this includes attesting to the development practices of the open source components being used in those applications.

What is an attestation?

Attestation is the “issue of a statement, based on a decision, that fulfillment of specified requirements has been demonstrated.”

In this case, organizations selling software to the government will be required to self-attest that they conform with all of the secure software development standards outlined in the NIST guidelines.

Source: Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e

How can Tidelift help organizations with open source attestations?

To show how we help organizations meet the self-attestation requirements for the open source components being used in their applications, we’ve created a sample open source attestation report using the most comprehensive database of maintainer-validated security and maintenance attestations— available only from Tidelift. We can create a customized attestation report much like this for any customer with attestations included for the exact open source packages they use.

Tidelift pays open source maintainers to ensure their projects follow important security and maintenance practices like those found in the NIST SSDF and keep those attestations current. 

The attestations presented in the report are assertions about open source software development practices at the package level. They leverage a blend of manual and automated assessment to provide a piece of metadata in response to the mapped NIST SSDF standard. 

The attestation report is delivered in a machine-readable format that can be referenced in an SBOM, or provided as a standalone report as a complementary artifact to your organization’s own internal software development practices. When combined with information regarding your organization’s internal secure development practices, the report provides the maintainer-validated data you need to complete the NIST SSDF attestation requirements. 

Learn more about the Tidelift open source attestation report and visit our government open source cybersecurity resource center to keep up to date on the latest government actions and requirements.