A memo from the Office of Management and Budget (OMB) was published with cybersecurity guidelines to the federal government’s software providers on September 14, 2022. The directive was based on the Executive Order (EO) signed by US President Joe Biden on May 12, 2021, to improve cybersecurity amid the increased risks plaguing the nation’s privacy and data security.
As per the memo published by the White House, software companies working with the US government need to attest that their products comply with the latest national cybersecurity standards.
Why the secure software development practices
In a blog post, Federal Chief Information Security Officer and Deputy National Cyber Director Chris DeRusha discussed the latest guidelines and said, “With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”
The federal government’s reliance on information and communications technology (ICT) products and services make it a hub for cybercriminals. Since critical functions depend on these services from outside entities, the EO directed the concerned departments to work on it. The National Institute of Standards and Technology (NIST), which handles the nation’s technology and innovation needs, created the Secure Software Development Framework (SSDF) and the NIST Software Supply Chain Security Guidance documents called the NIST Guidance. The OMB was directed to comply with the guidelines.
The framework of the enhanced guidelines
Per the guidelines, the Agency Chief Information Officers (CIOs) and Chief Acquisition Officers (CAOs) have been directed to watch software producers implement and attest to conformity. The department’s agencies are required to get self-attestation from the software producers before using it, as it would be considered their conformance statement.
Responsibilities mentioned in the memorandum.
Within 90 days of the release of these guidelines, agencies are required to work for the attestations and other mentioned actions. Moreover, the OMB must work on posting specific information for submitting requests for waivers to MAX.gov links.
The Cybersecurity and Infrastructure Security Agency (CISA) is expected to establish programs like a standard self-attestation ‘common form’ and a plan for a government-wide repository for software attestations, among others, within a stipulated time frame. And NIST is asked to update the SSDF guidance as required.
The summary of the memorandum is mentioned in the table below:
What the improved guidelines say
These guidelines have been set to strengthen the security of the software supply chain catering to the federal government, including the ‘zero trust’ strategy’. The zero-trust approach requires validating every interaction and eliminating implicit trust to help create better infrastructure and protect national and economic security.
As opposed to the past, when the software was accepted based only on the advertised data, now it will go through official steps and channels. This will ensure that federal agencies use the right product after scanning the proper criteria. It was necessary to help restore and build trust among people, the government and businesses to carry out their functions safely.