by Jeanne Zepp

Moving federal agencies to a zero trust model is a complex effort comprising many moving parts. A simple read of Executive Order (EO) 14028 and Office of Management and Budget (OMB) Memorandum 22-09 highlights the vast array of challenges the proposition poses – and the many tasks that must be undertaken to achieve this goal.

Both documents recognize that the software supply chain constitutes a major vulnerability and thus a cybersecurity risk to federal systems and networks. The rationale is simple: software procured from third-party vendors currently is acquired and downloaded without any guarantee as to code integrity or security screening. EO 14028 therefore charged the National Institute of Standards and Technology (NIST) with guidance creation to “enhance the security of the software supply chain” and tasked OMB with mandating guidance adherence by federal agencies upon its promulgation.

On September 14, 2022, the federal government took a major step forward in closing the third-party software vulnerability gap with the issuance of OMB M-22-18. Now, federal agencies can only purchase software from producers that can attest that they complied with and conformed to NIST Special Publication (SP) 800-218 and NIST Software Supply Chain Security Guidance, collectively called “NIST Guidance.” Moreover, these attestations must encompass software development efforts throughout the software lifecycle. Self-attestations are allowed, although agencies may require a third-party assessment when acquiring a critical service or product. The compliance self-attestation must be obtained from the vendor prior to software use. Ideally, software producers should be made aware of the requirement during the solicitation process.

The federal government took a major step forward in closing the third-party software vulnerability gap with the issuance of OMB M-22-18.

OMB characterizes the NIST Guidance, which reflects input from experts in government, industry and academia, as providing “a set of practices that create the foundation for developing secure software.” The NIST Guidance, especially Table 1 in NIST SP 200-18, defines four practices – Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW) and Respond to Vulnerabilities (RV) – and the recommended actions and tasks that contribute to the Secure Software Development Framework. NIST cautions, however, that the lengthy table offers only a subset of what an organization may need to do; detailed references offer a more complete picture.

The requirements imposed on vendors are many. Quoting from OMB M-22-18, the four minimum self-attestation requirements are:

1. The software producer's name
2. A description of which product or products the statement refers to (preferably focused at the company or product line level and inclusive of all unclassified products sold to federal agencies)
3. A statement attesting that the software producer follows secure development practices and tasks that are itemized in the standard self-attestation form
4. Self-attestation is the minimum level required; however, agencies may make risk-based determinations that a third-party assessment is required due to the criticality of the service or product that is being acquired, as defined in M-21-30.

Self-attestation is the minimum level required; however, agencies may make risk-based determinations that a third-party assessment is required due to the criticality of the service or product that is being acquired.

In addition, agencies may require software vendors to provide a Software Bill of Materials and/or other “artifacts” supporting the vendor’s adherence to secure software development practices. Notably, OMB, working with the U.S. Department of Homeland Security, will develop a self-attestation form that many federal agencies can use.

According to Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, the NIST Guidance “will ensure that millions of lines of code that underpin federal agencies’ work are built with industry security standards in place.” He further posits that it “will allow us to fulfill our commitment to continue to lead by example while protecting the national and economic security of our country.”

There is little doubt that this requirement is an important step forward in moving toward a zero trust model and strengthening federal systems and networks. It also signals positive change for the private sector given the degree to which government and industry rely on the same software and software producers. In fact, the timing couldn’t be better. Verizon’s 2022 Data Breach Investigations Report (DBIR) noted an unexpected finding: for the first time software updates made its list of top breach vectors reported by participating organizations. So, too, did desktop sharing software. Shoring up this vulnerability in third-party software will benefit both government and industry.