Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

US Government Wants Security Guarantees From Software Vendors

US government requires security guarantees from software vendors

US government requires security guarantees from software vendors

The White House announced on Wednesday that the Office of Management and Budget (OMB) has issued new guidance with the aim of ensuring that federal agencies only use secure software.

The guidance, named ‘Enhancing the Security of the Software Supply Chain through Secure Software Development Practices’, builds on the cybersecurity executive order signed by President Joe Biden in May 2021.

A memorandum from the OMB requires federal agencies to comply with NIST guidance — for secure software development and supply chain security — when using third-party software. In order to ensure compliance, agencies will have to at least obtain a self-attestation form from software developers whose products they are using or plan on using.

“A software producer’s self-attestation serves as a ‘conformance statement’ described by the NIST Guidance. The agency must obtain a self-attestation for all third-party software subject to the requirements of this memorandum used by the agency, including software renewals and major version changes,” the memo reads.

The OMB noted that self-attestation is the minimum level required, but agencies can also make risk-based determinations for a third-party assessment if the product or service that is being acquired is critical.

Agencies can require a software bill of materials (SBOM) and other artifacts that can prove the vendor’s compliance, and they can also require the company to run a vulnerability disclosure program.

[ Read: Cybersecurity Leaders Scramble to Decipher SBOM Mandate ]

Agencies are required to inventory all of the software that is subject to the new requirements (with critical software on a separate list), create a process for communicating these requirements to software providers, and make sure they get the needed attestation letters from vendors. The letters must be obtained within 270 days for critical software and within one year for other software.

Advertisement. Scroll to continue reading.

Some developers could make these letters public, which would make them easier to obtain, and agencies can also request extensions and waivers if needed.

The Cybersecurity and Infrastructure Security Agency (CISA) has been tasked with creating a standard self-attestation form that can be used by agencies.

The memorandum comes shortly after CISA, the NSA and the Office of the Director of National Intelligence (ODNI) started publishing a series of guidance documents focusing on securing the software supply chain.

In January, the White House hosted a summit where representatives of the government and the tech sector gathered to discuss open source software security. The event was held shortly after the Log4Shell vulnerability came to light.

Related: White House Publishes Federal Zero Trust Strategy

Related: White House Proposes $10.9 Billion Budget for Cybersecurity

Related: US Gov Issues Security Memo on Quantum Computing Risks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...