On June 9, 2023, OMB released additional guidance on the implementation of OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practice, which requires that federal agencies only use third-party software that is provided by software producers that attest compliance with the secure software development guidance issued by the National Institute of Standards and Technology (NIST). Agencies must obtain a self-attestation from the software producer before using any software that “affects” government information or will be used on government information systems. The requirements are discussed in more detail here.
The new OMB guidance, OMB Memorandum M-23-16 (available here), extends the timeline for agencies to collect attestations from software producers. Agencies are now required to collect attestation letters from software producers for “critical” software no later than three months after the CISA common self-attestation form is approved by OMB and for all other software six months after the common self-attestation form is approved by OMB. As discussed here, CISA is currently seeking comment on the common self-attestation form until June 26, 2023.
OMB’s new memorandum M-23-16 provides additional guidance on the scope of the requirements in memorandum M-22-18.
- Agencies will not be required to collect attestation from producers of third-party software components that are incorporated into the software end products.
- Agencies will not be required to collect attestations from open-source software or from products that are proprietary, but freely obtained and publicly available.
- Software developed under a federal contract at the direction of a federal agency may still be subject to attestation requirements. The agency must ensure that secure software development practices are followed throughout the software’s entire development lifecycle.
Memorandum M-23-16 also makes a change to the use of Plans of Action & Milestones (POA&Ms) by software producers. Software producers must identify any secure software development practices to which they cannot currently attest, document practices they are using to mitigate those risks, and submit a POA&M to the agency. The agency must discontinue use of the software if the agency is unsatisfied with the POA&M documentation or is unable to confirm the practices put in place to mitigate risk. When a software producer submits a POA&M, the agency may continue to use the software, but must also seek an extension to the attestation deadline from OMB and provide OMB with a copy of the POA&M. If the agency fails to submit an extension request, the POA&M is considered invalid, and the agency cannot continue using the software.
Software producers that develop software that is used by the government should continue preparing for the new attestation requirements and ensure they are meeting the secure software development principles outlined by NIST.
