Late last year, the United States Office of Management and Budget (OMB) published a memorandum, M-22-18, that required federal agencies to comply with the guidelines regarding ensuring the safety and integrity of third-party software on federal information technology systems. This memorandum applied to the use of firmware, operating systems, applications, cloud-based software and general software.
The memo requires federal agencies to comply with the National Institute of Standards and Technology (NIST) guidance, as detailed in President Biden’s cybersecurity Executive Order 14028, and stipulated that agencies “only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.”
The memo instructed agencies to collect a standardized self-attestation form from all software contractors before deploying their products. Initially, each agency will identify the software and collect the self-attestations forms. The end goal is to create a government-wide central repository of all software-related information, to shore up any cybersecurity vulnerabilities.
I wanted to provide you with a brief update on where the NIH Information Technology Acquisition and Assessment Center (NITAAC) is in the self-attestation process and make you aware of some key dates that will impact your company.
NITAAC is working with the OMB to determine the formal agency posture on this matter. We also are working to finetune the process for our communications requirements, as it relates to collecting the self-attestation forms.
In the meantime, contractors should be aware of the following key dates:
- June 11, 2023: NITAAC deadline to collect self-attestation forms from critical software providers.
- September 14, 2023: NITAAC deadline to collect the forms from all software providers on the NITAAC networks.
- TBD: If needed, NITAAC will request a software bill of materials or other artifact(s) that demonstrate conformance with secure software development practices.
You will hear more from NITAAC as we get additional clarity, however, I wanted you to know you are not in this alone. I understand that this request presents several challenges on your end, in terms of staffing and the additional labor required to conduct and submit the self-attestations.
We face those same challenges at NITAAC. One of the biggest obstacles being faced on the federal level is that of time. The reality is that the government likely will not be able to produce and distribute the attestation forms in a timely manner. Unfortunately, if we cannot do so, this administrative burden will fall upon our contract holders, as you will then need to develop your own forms.
I can’t promise that this process will be smooth, as there are several variables at play, but what I can promise is that we will be as transparent as possible and will make it our business to provide you with timely and relevant updates.
I value our partnership and look forward to attesting the safety, integrity and security of all the software our contract holders provide to the federal government. This will become just one more example of the high-quality, best in class service agencies can expect from the NITAAC Contract Holders.
We will discuss this further on our next Contact Holders’ call.
To read the Executive Order, visit https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity. To learn more about the OMB Memo, visit https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf.