In May 2021, the U.S. government issued Executive Order 14028 on Improving the Nation’s Cybersecurity in response to increasing digital threats such as the one that impacted SolarWinds and its customers. As directed by Executive Order 14028, the National Institute of Standards and Technology (NIST) published detailed guidance on secure software development standards (including third-party software) in the NIST Secure Software Development Framework (SSDF), SP 800-218 and the NIST Software Supply Chain Security Guidance documents.
In September 2022, the Office of Management and Budget (OMB) released memorandum M-22-18 which formalized the NIST SSDF guidance, requiring organizations selling software to the government to self-attest that they comply with these guidelines by as soon as June 2023. (You can review the key M-22-18 deadlines for self-attestation in this blog post.) Self-attestation includes accounting for the security and maintenance practices followed by the open source software projects being used in applications.
More recently, in the National Cybersecurity Strategy unveiled in March 2023, the U.S. government detailed that it will offer "safe harbor" protections for organizations that can attest that their software development practices comply with the NIST SDDF guidelines. It’s more important than ever for organizations building with open source to educate themselves on these guidelines to prepare for upcoming deadlines and to take advantage of safe harbor protections.
Join us Tuesday, April 18 at 2 p.m. ET when Lauren Hanford, Tidelift VP of Product, and Kanish Sharma sit down to discuss the NIST Secure Software Development Framework and share how organizations building applications with open source software can take the necessary steps to follow its guidance.