US OMB releases guidance on federal agency software security requirements

Earlier this week, Chris DeRusha, federal CISO and deputy national cyber director in the White House, announced the release of Office of Management and Budget (OMB) guidance to ensure federal agencies rely only on software that has been built following standard cybersecurity practices. This software security requirement applies to all civilian federal agencies and software security vendors who do business with them.

The software security guidance was developed under President Biden’s wide-ranging cybersecurity executive order (EO) issued in May 2021. The impetus for the software security mandates contained in the order was the massive SolarWinds software breach that occurred in late 2020 and awakened the industry to the significant potential for damaging vulnerabilities in software and the software supply chain.

The SolarWinds breach was “one of a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector,” DeRusha said. “The new guidance “will help us build trust and transparency in the digital infrastructure that underpins our modern world and will allow us to fulfill our commitment to continue to lead by example while protecting the national and economic security of our country.”

NIST’s software security work drives the guidance

The guidance was developed over the past 15 months through an all-court effort by the Biden administration. It relies heavily on the National Institute of Standards and Technology’s (NIST’s) efforts to build security software development standards through its Secure Software Development Framework (SSDF) and Software Supply Chain Security Guidance.

It also relies on methods for creating a software bill of materials (SBOM) as defined by the National Telecommunications and Information Administration (NTIA) and, later, CISA. All these government resources serve as the foundation for OMB’s guidance. A self-attestation form that OMB will create is critical to successfully implementing the guidance to allow agencies and their contractors to proclaim that they meet the requirements in the NIST and other government documents.

Software security rules will be developed quickly

As was true of the EO itself, the OMB’s guidance document spells out an expedited timeline for agencies and their software providers to comply with the new requirements. Among the critical deadlines are:

• Within 90 days, or by December 14, agencies will have to produce an inventory of all software subject to OMB’s guidance. (Software developed within agencies is exempt).
• Within 120 days, or by January 13, 2023, agency CIOs must develop a consistent process to communicate relevant requirements to vendors and ensure attestation letters are collected in one central agency system.
• Within a year, or by September 14, 2023, agencies will have to collect attestation for all software subject to the requirements.

The expected release of the OMB guidance starts the clock on work that no government agencies and few software suppliers outside the Silicon Valley giants have learned how to do. The goal of setting standards for companies that sell software to the federal government was to effectuate fundamental changes in software security practices through the government’s “power of the purse.”

“By baking security into the development process, or ‘shifting left,’ all involved in the federal cyber ecosystem – from agencies to vendors – can work together to deliver better user experiences in a secure environment and provide a positive impact on the mission,” Chris Wysopal, co-founder and chief technology officer at Veracode, said in a statement. “As federal agencies look to comply with the approaching deadlines laid out in this document, they should critically review their existing software security strategies and ensure application security testing is embedded into the software development lifecycle.”

It will take years to become fully compliant

“Obviously the executive order can’t just tell software engineers to write more secure code. It doesn’t quite work that way,” software supply chain expert Dan Lorenc, CEO of Chainguard, tells CSO. “Instead, it directed a bunch of agencies to meet with industry experts to gather best practices and formalize that in a document for the OMB and other agencies to start pulling that into their procurement process.”

Despite the speed with which the Biden administration kicked into gear to tackle software security, it will take years for software vendors to become fully compliant. The requirements document “is absolutely massive,” Lorenc says, pointing to the underlying NIST work on which the OMB’s guidance relies.

Self-attestation will likely lead to third-party audits

But, Lorenc adds, self-attestation “isn’t the highest bar for vendors to jump over.” Over time, self-attestation will give way to third-party audits “like everything else in this space,” he says.

Eric Noonan, CEO of security compliance firm CyberSheath, comes down harder on the self-attestation element of the government’s program. “Allowing for self-attestation ensures we will repeat the sins of the past,” he said in a statement. “Self-attestation has been allowed for defense contractors since 2015, and the department of defense has recognized that trust without verification has been a failure.”

Noonan tells CSO that, “Trust without any verification doesn’t work. So, I think that’s a tremendous disappointment. Overall, self-attestation is doomed to fail.”

Few safety and security rules rely on self-attestation, Noonan says. “We don’t even let Americans self-attest to the safety of their own cars. Why would we let software vendors who have such a global impact on our national security, critical infrastructure, and everything else self-attest to their levels of cybersecurity?”

Like Lorenc, Noonan thinks that over the long run, self-attestations of software security will lead to some form of third-party audits that vendors must undergo. “The government doesn’t get enough credit for consistently trying to do the next right thing. And in this case, is it perfect? No, but it’s the next right thing. Eventually, we’ll probably get to a place where there is no self-attestation. In the interim, executing the direction of the memorandum is the next right thing to do.”