The White House’s Office of Management and Budget (OMB) is urging agencies to “immediately” implement the National Institute of Standards and Technology (NIST) guidance on software supply chain security.
NIST released its Secure Software Development Framework (SSDF) and related Software Supply Chain Security Guidance, in February of this year, in accordance with President Biden’s May 2021 cybersecurity executive order. The EO directs OMB to require agencies to comply with NIST’s guidance.
“As such, Federal agencies must begin to adopt the SSDF and related guidance effective immediately, tailoring it to the agency’s risk profile and mission,” OMB said in a March 7 statement.
“OMB understands vendor attestation of secure software development practices has significant implications for vendors and service providers supporting delivery,” OMB wrote. “As a result, OMB will engage with the private sector on how best to implement this requirement before directing agencies to require an attestation.”
The agency said it will gather feedback through a set of six implementation questions, which will help inform a March 23 workshop hosted by NIST on behalf of OMB.
The workshop aims to inform OMB on future implementation guidance for Federal procurement of secure software. Responses to the implementation questions should be sent to OFCIO@omb.eop.gov no later than 5:00 p.m. on March 18.