New Software Development Security Attestation and Related False Claims Act Liability for Commercial and Noncommercial Software Developers and Suppliers
Key takeaway
Software producers at all levels in the federal supply chain should prepare to attest that their software development practices comply with National Institute of Standards and Technology (NIST) standards supported by artifacts that demonstrate secure software development and by the software bill of materials.
What happened
On Sept. 14, 2022, the Office of Management and Budget (OMB) issued guidance establishing time frames for requiring all federal agencies to only use software provided by developers (producers) who can attest in writing to complying with the NIST-specified secure software development framework (NIST SP 800-218) and NIST software supply chain security guidance. OMB’s actions implement President Joe Biden’s May 12, 2021 Executive Order requiring NIST to identify practices that enhance the security of the software supply chain.
OMB’s memorandum could have far-reaching implications for developers and federal suppliers. “Software” for this purpose includes firmware, operating systems, applications and application services (e.g., cloud-based software), as well as products containing software. OMB’s memorandum implies that this attestation requirement is meant to ripple through the supply chain so that all software used on agency information systems or affecting agency information – from laptops and servers to printers and IoT connected devices – could need an attestation.
Federal agencies are directed to obtain an attestation, either from the software producer or, potentially, for critical software, from a third-party assessor. Although the form of the attestation is not final, the O ..
Support the originator by clicking the read the rest link below.
