Cybercriminals are gaining sophistication, traction, and maliciousness as their attacks today are more pervasive and penetrating than ever before. This wreaks havoc on both U.S. public and private sector entities and serves as a sobering reminder that there is vast room for cybersecurity and government network improvement and fortification. In an effort to stymy attacks like a 2022 attack on Microsoft attempted by a hacking collective and others, the Office and Management and Budget recently issued a Memorandum to Department Heads and Agencies renewing the government’s focus on protecting the security and privacy of the American people. The Memorandum puts into place firm deadlines for agency compliance with a number of high level regulatory and department directives called for in the previously issued Executive Order (EO) 14028: Improving the Nation's Cybersecurity.
Specifically, the Memorandum requires agencies to comply with “NIST Guidance” when using third-party software on the agency’s information systems or otherwise affecting the agency’s information. NIST Guidance is comprised of the NIST Secure Software Development Framework (SSDF), SP 800- 218, and the NIST Software Supply Chain Security Guidance and includes a set of practices that create the foundation for a contractor that is developing secure software. NIST Guidance will apply to third-party software developed after the September 14, 2022, effective date of the Memorandum, including any existing software that is modified by major version changes and used on agency information systems or otherwise touching the agency’s information. The term “software” for purposes of the Memorandum includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. NIST Guidance does not apply to agency-developed software or to software already developed, unless modified by a major version change.
The Memorandum also clarifies that the EO requirements apply to any attestable software the government identifies, placing an emphasis on “critical software.” Critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one attribute from a prescribed list (i.e., designed to manage privileges, direct or privileged access to networking or computing resources, designed to control access to data or operational technology, operates outside of normal trust boundaries with privileged access, or performs a function critical to trust).
Consistent with the NIST Guidance, agencies are required to obtain a self-attestation from the software producer before using the software unless a waiver is granted. While regulations have not yet been promulgated in the Federal Acquisition Regulatory, the Memorandum states that a self-attestation from the software provider should include:
- The software producer's name
- A description of which product or products the statement refers to (preferably focused at the company or product line level and inclusive of all unclassified products sold to Federal agencies)
- A statement attesting that the software producer follows secure development practices and tasks that are itemized in the standard self-attestation form
In some cases, a third party assessment may be required due to the criticality of the product.
Currently, it is unclear for which software, including “critical software,” an attestation will be required. Agencies are required to provide a list of attestation-required software within 90 days of the date of the Memorandum triggering an agency deadline of mid-December.
Contractors should note other solicitation and RFP materials they may be asked for in future procurements including Software Bill of Materials (SBOM) in specified formats, evidence that the software producer participates in a Vulnerability Disclosure Program, and proof of source code integrity and vulnerability checks. Software criticality will play a large role in determining the volume and depth of NIST Guidance materials requested at the solicitation phase. As such, Government contractors should not wait to address these coming requirements and should work with their solution partners to ensure cybersecurity requirements are addressed and documented in accordance with NIST Guidance.
If you have any questions about this legal update please contact the Government Contracts group.