OMB: new acquisition rule coming for vendors to vouch for their software security

The exterior of the Eisenhower Executive Office Building, located adjacent to The White House, is viewed on June 6, 2017 in Washington, D.C.

The exterior of the Eisenhower Executive Office Building, located adjacent to The White House, is viewed on June 6, 2017 in Washington, D.C. George Rose/Getty Images

Agencies are also allowed to accept to-do lists from vendors who need to keep working up to a point where they can self-attest their compliance with NIST guidance.

The Federal Acquisition Regulatory Council will soon propose a rule requiring federal agencies to use a uniform, standard self-attestation form when seeking assurances from software vendors that their products were developed using guidance from the National Institute of Standards and Technology.  

“Agencies are encouraged to use a standard self-attestation form, which will be made available,” in line with the new rule, according to a memo the Office of Management and Budget issued Wednesday. 

The memo was issued under Executive Order 14028, which President Joe Biden signed in May 2021 in response to the hack referred to as SolarWinds, after the federal IT management contractor that was exploited in the intrusion campaign compromising at least nine federal agencies.

“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” Federal Chief Information Security Officer Chris DeRusha wrote announcing the memo. “With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”

But in addition to approving the use of self-attestation, the OMB memo allows agencies to accept what is essentially a promise from vendors that they will work toward being able to comply with the NIST guidance on a specific timeline.

“If the software producer cannot attest to one or more practices from the NIST Guidance identified in the standard self-attestation form, the requesting agency shall require the software producer to identify those practices to which they cannot attest, document practices they have in place to mitigate those risks, and require a Plan of Action & Milestones (POA&M) to be developed,” the memo reads. “If the software producer supplies that documentation and the agency finds it satisfactory, the agency may use the software despite the producer’s inability to provide a complete self attestation.” 

The OMB memo spells out specific timelines for agencies to gather the vendor attestations and for the Cybersecurity and Infrastructure Security Agency to eventually establish a secure, interagency repository for the attestation letters in tandem with the White House.