Security News > 2022 > September > US government software suppliers must attest their solutions are secure

The Office of Management and Budget has issued a memo requiring US federal government agencies to use software that has been built according to secure software development practices and whose developers follow practices for software supply chain security, as specified by the National Institute of Standards and Technology.

"Agencies are required to obtain a self-attestation from the software producer before using the software," the memo says, and "If the software producer cannot attest to one or more practices from the NIST Guidance identified in the standard self-attestation form, the requesting agency shall require the software producer to identify those practices to which they cannot attest, document practices they have in place to mitigate those risks, and require a Plan of Action & Milestones to be developed."

If a self-attestation cannot be produced by the software producer - e.g., in case of open source software or products incorporating open source software - an attestation by a third-party assessment provided by either a certified FedRAMP Third Party Assessor Organization or one approved by the agency must be obtained.

The attestation requirements don't apply to software developed by the agencies themselves, but the agencies are expected to implement secure software development practices.

The memo is aimed at avoiding incidents like the 2020 SolarWinds hack, when attackers breached several US federal agencies via compromised SolarWinds Orion software.

While this memo applies only to US federal agencies and executive departments, it will surely lead to a positive impact for the public and private sector in the US and around the world as well, since most of the software and solutions in question are widely used.

News URL

https://www.helpnetsecurity.com/2022/09/15/us-government-software-secure/