Attestation of secure software development: (another) government requirement | Fenwick & West LLP
On September 14, 2022, the Office of Management and Budget (“OMB”) issued a memorandum on Improve software supply chain security through secure software development practices (“OMB Memo”) to help ensure the security of the software. While the OMB memo provides guidance to agencies, any company that produces software (defined as firmware, operating systems, applications, and application services, such as cloud-based software as a service or products that include software) and expects to license government end users must:
- Develop the software in accordance with the National Institute of Standards and Technology (“NIST”) risk-based secure software development standards,
- Provide self-attestation, and
- Produce, upon request, documentation such as a software bill of materials or participation in a vulnerability disclosure program.
These requirements apply to agency (and contractor) use of developed software, as well as use of existing software that is modified by major version changes, after September 14, 2022.
Last year, President Biden called on federal agencies to improve their cybersecurity capabilities and protect the nation’s critical software supply chain. See Executive Order 14028 (“Cyber EO”). Cyber EO commissioned NIST to develop Supply Chain Security Guidelines which NIST completed in February 2022. NIST developed and published the NIST Guidelines comprising: (1) the Framework for secure software development (“SSDF”) version 1.1 detailing secure software development best practices, and (2) supply chain security guidance for federal agencies on how to purchase software, including including open source software and software developed by agencies.
Last week’s OMB memo requires federal agencies to comply with NIST guidelines when using third-party “software” on agency information systems or otherwise affecting agency information.
What companies should do:
If a company develops and licenses “software” defined as firmware, operating systems, applications, and application services (such as cloud-based software as a service) or products that include software to government entities, the company should determine whether their software development process meets NIST guidelines for secure software development.
After analyzing the software development process against the NIST guidelines, the company must certify that it follows these secure development practices – this self-attestation is the “declaration of compliance” under the NIST guidelines. If a company cannot provide the attestation in the format requested by the government, it can document how it will mitigate these risks in a Milestone Action Plan (“POA&M”). In lieu of self-attestation, companies may also provide assessments prepared by FedRAMP-certified (“3PAO”) third-party assessor organizations. Agencies may require a formal 3PAO assessment based on product criticality.
The Federal Acquisition Regulatory Council will develop a uniform standard attestation form, but until the final rule is published, any self-attestation must include:
- The name of the software producer
- The most complete description of the products included in the statement (preferably company or product line wide statements and all unclassified products).
- An attestation that the software producer follows secure development practices and tasks, as stated in the attestation.
Document your software development
The OMB memo explains that companies can submit artifacts to federal agencies that demonstrate compliance with secure software development practices. In addition, the federal agency may require a Software Bill of Materials (“SBOM”) in the solicitation requirements, depending on the criticality of the software. According to the OMB, artifacts other than SBOM (for example., the use of automated tools and processes that validate source code integrity and check for known or potential vulnerabilities) may also be required. Companies should be prepared to provide these documents with responses to solicitations and ensure that the sales team is equipped to answer questions regarding the secure software development process.
Key points to remember
Companies providing software or code to the government must:
- Anticipate government requirement: Due to the cascading impact, companies should review the NIST guidelines now to ensure they are adhering to secure software development principles. Start implementing the necessary changes today.
- Prepare a self-attestation project: While the FAR Council finalizes rulemaking, develop a self-attestation with the type of information required by the OMB memo.
- Extract your software BOM: Since federal contractors, including commercial off-the-shelf (“COTS”) enterprises, will likely see these requirements incorporated into contract solicitations and terms, develop your SBOM now so you have it ready to meet solicitations.
- Consider proactively publishing your self-attestation and SBOM: If possible, determine if you can provide your self-attestation and SBOM securely on your website. (However, DO NOT publicly post your gap analysis, risk mitigation plan, or POA&M.)
- Evaluate how this requirement intersects with other software supply chain considerations more broadly: Your company may also face export controls applicable to your product and technology, foreign ownership, control or influence (“FOCI”) factors in maintaining a security clearance or sales to defence/intelligence customers, and other federal factors. supply restrictions on the supply of software components or allowing its inspection in certain countries such as China or Russia. We can advise you on how to strategically manage all of these factors together and implement internal controls capable of satisfying all requirements at once.