The White House has announced new guidance with the aim of ensuring that federal agencies only use secure software.
The White House has announced new guidance with the aim of ensuring that federal agencies only use secure software.
Building on the cybersecurity executive order signed by President Joe Biden in May 2021, a memorandum from the OMB requires federal agencies to comply with NIST guidance — for secure software development and supply chain security — when using third-party software. In order to ensure compliance, agencies will have to at least obtain a self-attestation form from software developers whose products they are using or plan on using.
The forms must be obtained within 270 days for critical software and within one year for other software.
The OMB noted that self-attestation is the minimum level required, but agencies can also make risk-based determinations for a third-party assessment if the product or service that is being acquired is critical.
Agencies can also require a software bill of materials (SBOM) and other artifacts that can prove the vendor’s compliance, and they can also require the company to run a vulnerability disclosure program.
CISA has been tasked with creating a standard self-attestation form that can be used by agencies.
Some experts believe this initiative is a step in the right direction, while others point out that there is still a lot of work ahead, or are skeptical that it will have the desired result.
Yotam Perkal, Director of Vulnerability Research, Rezilion:
Rhys Arkins, Vice President of Product Management, Mend:
Sounil Yu, Chief Information Security Officer, JupiterOne:
Tom Kellermann, CISM, SVP of Cyber Strategy, Contrast Security:
Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center:
Mike Burch, Director of Application Security, Security Journey:
Mark Stamford, Founder and CEO, OccamSec:
Rick McElroy, Principal Cybersecurity Strategist, VMware:
Andrew Hay, COO, LARES Consulting:
James McQuiggan, security awareness advocate, KnowBe4:
Moshe Zioni, VP of Security Research, Apiiro:
By Eduard Kovacs on Fri, 16 Sep 2022 13:00:08 +0000
Original link