The White House Office of Management and Budget is extending the deadline for when agencies have to start collecting software security attestation forms from contractors.
In a memo released today, OMB directs agencies to begin collecting attestations for “critical software” no later than three months after the Cybersecurity and Infrastructure Security Agency’s common attestation form is finalized under the Paperwork Reduction Act.
Agencies have six months from the form’s finalization to start collecting attestations for all third-party software covered by OMB’s security requirements.
The previous deadlines for collecting attestation forms, under a White House memo issued last September, were going to be June 12 for critical software and Sept. 14 for all software.
There isn’t a set date for when the administration is expected to finalize the secure attestation form.
CISA published a draft version of the “Secure Software Self-Attestation Form” expected to be used by all agencies in late April. The agency is accepting comments on the form through June 26. But the release date of the draft form raised questions about whether OMB would hold to the original deadlines.
The form is a crucial piece of the Biden administration’s push to ensure agencies only use securely developed software. Agencies will require software vendors to fill out the form and self-attest to following secure development practices outlined by the National Institute of Standards and Technology.
The requirements stem from the May 2021 cybersecurity executive order and efforts to improve security after a 2020 incident where several agencies and large corporations were compromised by malicious code that was added into SolarWinds software.
Once finalized, agencies across government are expected to use the form to meet the OMB requirements. The form will have to be signed by a company’s chief executive officer or a designated employee.
In extending the deadlines today, OMB also offered several clarifying points around how agencies should approach the secure software requirements.
It clarifies that agencies only have to collect attestations from the “producer of the software end product,” as that organization is “best positioned to ensure its security.”
“Accordingly, agencies are not required to collect attestations from producers of third-party software components that are incorporated into the software end product used by the agency,” the memo states. “This is true for both third-party open-source and proprietary components. A component, whether open source or proprietary, only qualifies as a ‘third-party’ component if it was developed by an entity other than the producer of the software end product into which it is incorporated.”
It also clarifies that agencies aren’t required to collect attestations for products that are proprietary but are “freely obtained and publicly available.”
“A significant number of core software applications, such as web browsers, to which federal agencies must have access are offered for use to members of the public at no cost,” the memo continues. “Users of this software have no opportunity to negotiate with the producer, and therefore it will not be feasible for agencies to obtain attestations from the producers of such software. Agencies are, nevertheless, required to assess the risk in utilizing such software and take appropriate steps to minimize or eliminate identified risks.”
Meanwhile, agency-developed software also remains outside the scope of the attestation requirements, but the memo clarifies that contracting agencies still need to ensure that software developed under a federal contract follows NIST’s Secure Software Development Framework.
“If there are questions regarding whether software developed by Federal contractors should be considered agency-developed, agency CIOs are required to make that determination on behalf of the agency,” the memo states. “Agency CIOs are in the best position to determine in a given case whether the agency’s specification and supervision of contract performance meet the standard articulated above.