Federal Chief Information Security Officer Chris DeRusha said this week that the Office of Management and Budget (OMB) is preparing to publicly release a common attestation form for software makers as part of the Federal government’s larger push to create a more secure software supply chain as mandated by President Biden’s cybersecurity executive order issued in May 2021.
The attestation form for software makers is an integral part of an OMB directive issued in September 2022 that requires Federal agencies to take a range of actions to comply with National Institute of Standards and Technology (NIST) guidance on software security.
The OMB directive “requires each Federal agency to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.” It defines “software” to include “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”
“Federal agencies must only use software provided by software producers who can attest to complying with the government-specified secure software development practices, as described in the NIST Guidance,” OMB ordered. As part of that obligation, Federal agency chief information officers need to take a number of steps including getting self-attestations from software producers that they have implemented and will attest to conformity with the security software development practices.
Speaking at an April 25 event organized by the Alliance for Digital Innovation to coincide with the RSA Conference in San Francisco, DeRusha said “we’ll be putting out a common attestation form for secure software development practices, probably later this week in the Federal Register.”
He flagged that coming development as part of a larger conversation about the push to modernize security practices that stems from the 2021 cybersecurity executive order.
“It set into motion all sorts of policy directives that we issued after that and strategies like the zero trust strategy, secure software development practices, [and] ensuring we have Federal logging and incident response and detection capabilities across the entire program,” DeRusha said.
Since the executive order was issued, “we’ve had a lot of impetus in that area that was kind of concretely directly driven from these policies. It’s just been a lot … of getting to the implementation layer of all that in turn, meeting the world where it is, and being agile around it,” he said.
“That’s where the rubber meets the road,” DeRusha said. “Taking that policy and then we’ll test it with the world and see if we got it right, and be kind of be agile and continue to evolve it.”
