Navigating the New Software Security Requirements for Government Vendors: A Guide

In an era where cybersecurity threats are ever-present, the federal government has stepped up its measures to ensure that software used in its operations meets stringent security standards. The Office of Management and Budget (OMB) has introduced new requirements for vendors selling software to federal agencies. These changes, driven by Executive Order 14028 and OMB Memorandum M-22-18, aim to enhance the security of the software supply chain by mandating that software producers adopt secure software development practices. Vendors must now complete a self-attestation form, ensuring their software complies with the government’s security guidelines.

This blog post outlines the key aspects of the new requirements, the actions vendors need to take, the timeline for compliance, and how these changes may impact the software industry and government procurement.

Key Points of the Regulation

At the core of these changes is OMB Memorandum M-22-18 (as amended by M-23-16), which mandates federal agencies to only use software that has been developed following secure practices as laid out by the National Institute of Standards and Technology (NIST) in its Secure Software Development Framework (SSDF). Key aspects include:

• Secure Development Practices: Software must be built in secure environments, with measures such as multi-factor authentication and encrypted sensitive data.
• Self-Attestation: Vendors must attest that their software conforms to these secure development practices using the common form issued by the Cybersecurity and Infrastructure Security Agency (CISA).
• Plan of Action & Milestones (POA&M): If a software producer cannot meet all the required security practices, they must submit a plan to address these deficiencies.
• Public Posting or Repository Submission: Completed attestation forms must either be made publicly available or submitted to the CISA repository for access by federal agencies.

Specific Changes Vendors Must Make to Comply

For vendors selling software to federal agencies, the following changes are essential for compliance with the new regulation:

1. Complete the Self-Attestation Form:
   • Vendors must fill out the CISA secure software development attestation form, ensuring all required fields are completed, including the software producer’s information, version numbers, and confirmation of adherence to secure practices​.
2. Upload to CISA Repository:
   • If the attestation form is not publicly posted, vendors must upload it to the CISA repository. This ensures federal agencies can verify the security credentials of the software they are purchasing.
3. Develop a POA&M (if necessary):
   • If a vendor is unable to attest to certain secure software practices, they must submit a POA&M, outlining steps to address these gaps​.
4. Third-Party Assessments:
   • While self-attestation is the minimum requirement, agencies may also require third-party assessments, particularly for software deemed critical​.
5. Maintain Documentation:
   • Vendors must maintain detailed documentation of their development practices and the security measures applied to the software. This includes monitoring vulnerabilities and maintaining a clear provenance for internal and third-party code​.

Timeline for Implementation

Compliance with the new regulations is expected to unfold in several stages:

• Within 90 Days: Agencies must inventory all software subject to the new requirements​.
• Within 120 Days: A communication process must be established between agencies and vendors to ensure all software attestations are collected​.
• Within 270 Days: Attestation letters for "critical software" must be collected​.
• Within 365 Days: All remaining software used by federal agencies must have completed attestations.

The timeline for software producers is tied to when software is developed or modified. For example, software developed after September 14, 2022, or existing software with major version changes after this date, falls within the scope of these requirements​.

Potential Impacts on the Software Industry and Government Procurement

These new requirements are expected to have several broad impacts:

• Increased Vendor Responsibility: Vendors will need to ensure their development processes align with secure software development standards, which may require changes to their internal procedures and increased attention to security practices​.
• Heightened Security Across the Supply Chain: By enforcing these requirements, the government aims to reduce the risk of cybersecurity threats and protect sensitive information. This is a significant step forward in ensuring that the software supply chain is secure from end to end​.
• Increased Costs for Compliance: Vendors may incur additional costs related to third-party assessments, documentation requirements, and continuous monitoring. This could especially impact smaller vendors without the resources to quickly adapt to these new standards.

Best Practices for Vendors to Adapt

To successfully navigate these new requirements, software vendors should adopt several best practices:

• Early Adoption of NIST’s SSDF: Incorporate NIST’s Secure Software Development Framework into your development cycle to ensure compliance from the outset​.
• Conduct Internal Audits: Regularly audit your development environment and security practices to ensure they meet federal standards​.
• Use Automated Tools for Security Checks: Leverage automated tools to continuously monitor for vulnerabilities and maintain the security of third-party components.
• Train Your Team: Provide training on secure development practices and the specific requirements of the self-attestation process​.
• Collaborate with Federal Agencies: Engage with agencies early to clarify compliance expectations and ensure you are fully prepared to meet the requirements​.

Resources for Further Information

For vendors seeking more information or support in meeting these requirements, the following resources are available:

• CISA Secure Software Development Attestation Form: CISA Website​.
• NIST Secure Software Development Framework (SSDF): NIST SSDF​.
• OMB Memorandum M-22-18: OMB Website​.

Conclusion

The federal government's push for stronger cybersecurity measures in software development is a significant shift that will affect all software vendors selling to federal agencies. Vendors must act quickly to comply with these new requirements, which emphasize secure software development practices and transparency through self-attestation.

The key takeaway for vendors is clear: prioritize secure development practices now to avoid disruption to your federal contracts. By following the guidelines set out by OMB and NIST, maintaining thorough documentation, and being proactive in your approach, you can navigate these changes and continue to provide software solutions to the federal government securely and effectively.

Next Steps for Vendors

• Review the self-attestation form and start the completion process.
• Audit your software development practices against NIST’s SSDF guidelines.
• Establish a compliance plan, including timelines and any necessary POA&Ms.
• Engage with your federal agency clients to understand their specific needs and expectations under the new guidelines.

By taking these steps now, you will be well-positioned to comply with the federal government’s new software security requirements.