The Biden administration has issued guidance (OMB Memo M-22-18) for agencies under its executive order requiring that they software they use follows certain common cybersecurity practices.
“The global supply chain for these technologies faces relentless threats from nation state and criminal actors seeking to steal sensitive information and intellectual property, compromise the integrity of government systems, and conduct other acts that impact the United States government’s ability to safely and reliably provide services to the public,” it says.
The memo requires agencies to comply with NIST guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information, effective with software developed, or that is modified by major version changes, as of its effective date of September 14. The requirements do not apply to agency-developed software, “although agencies are expected to take appropriate steps to adopt and implement secure software development practices for agency-developed software,” it says.
Agencies must “ensure software producers have implemented and will attest to conformity with secure software development practices” before using software; and “may obtain from software producers artifacts that demonstrate conformance to secure software development practices, as needed.”
The memo also sets a series of deadlines for specific actions. These include that within 90 days agencies are to inventory all software subject to the requirements, with a separate inventory for “critical software”; and within 120 days they are to “develop a consistent process to communicate relevant requirements in this memorandum to vendors, and ensure attestation letters not posted publicly by software providers are collected in one central agency system.”