Software Attestation & Supply Chain Security (OMB M-22-18)

Blue information security box showing the cloud and software attestation following OMB M-22-18.

President Biden issued Executive Order 14028, Improving the Nation’s Cybersecurity, on May 12, 2021 to address “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

Section 4, Enhancing Software Supply Chain Security, observed, “The development of commercial software often lacks transparency, sufficient focus on the stability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.” To address these needs the Executive Order required the National Institute of Standards and Technology (NIST) to issue guidance including standards, procedures, or criteria to strengthen the security of the software supply chain.

What Is OMB Memorandum M-22-18?

To put this guidance into practice, the Executive Order, through the Office of Management and Budget (OMB), requires agencies to procure and use software only from producers who fulfill the NIST Special Publication 800-218 Secure Software Development Framework. OMB implemented this requirement through OMB memorandum M-22-18 dated September 14, 2022. Specifically, M-22-18 requires agencies to “obtain a self-attestation from the software producer before using the software.” This requirement applies to new software as well existing software that is modified by major version changes.

OMB M-22-18 brings into existence a new and sizeable conformity assessment community. The memorandum introduces conformity assessment expectations and activities for the supply chain starting with the software producer and ending with the federal agency putting the software in to use. In addition, the OMB letter provides significant flexibility for agencies to add or substitute activities for obtaining self-attestations from producers of software.

Challenges With New Software Attestation Conformity Assessment Expectations

As a result, suppliers and vendors could face variations in conformity assessment expectations and activities from agency to agency. Agencies on the other hand will need to engage with many producers and vendors, each with their own perspective and approach regarding the self-attestations to be provided. Given that self-attestations must be obtained for every major version change for software used by an agency, conformity assessment activities in this new community will be ongoing.

OMB M-22-18 recognizes this new conformity assessment landscape and the challenges of productively working in it for all those affected. The first impacts will be felt in mid-January 2023, when OMB requires agencies to “develop a consistent process to communicate relevant requirements in this memorandum to vendors . . .”  

The requirements about which agencies must communicate certainly include the software development requirements in NIST 800-218. Clearly, agency staff will have or obtain an understanding of those technical requirements. But agencies must also communicate about the conformity assessment activities required in OMB M-22-18. How can agency staff clearly communicate about those activities?  OMB M-22-18 anticipates that concern as it also requires agencies to “assess their training needs and develop training plans” for this new conformity assessment landscape.

ANAB Training for Navigating the OMB M-22-18 Conformity Assessment Landscape

To help meet the needs of all parties, and especially the training needs of agencies, ANAB is developing a self-paced online training course. The training will provide a conceptual “map” of conformity assessment and how to use it to navigate the new landscape created by OMB M-22-18. This simple but highly effective conformity assessment paradigm will also be the basis for agency’s ongoing dialog with software producers and vendors for the conformity assessment activities required in OMB M-22-18.

Applying this paradigm will quickly clarify the entities and activities in the new landscape including activities implied but not mentioned in OMB M-22-18. With a common lexicon and paradigm, all parties can more easily communicate and reach agreements to fulfill the OMB M-22-18 obligations as cost-effectively as possible.

Female developer adhering to OMB M-22-18 software attestation typing away javascript and CSS on blue coding monitor.

By completing the ANAB training, agencies will understand their role and options for implementing OMB M-22-18 in the context of international conformity assessment standards; a way of assessing a “Plan of Action & Milestones” when a self-attestation cannot be attained; how Software Bill of Materials (SBOM) and artifacts relate to self-attestations and contribute to conformity assessment; and how to ensure companies implement, not just attest, the use of secure software development practices consistent with NIST 800-218.

Vendors and producers will learn a way to structure and describe their activities and information supporting their self-attestation, including Software Bill of Materials (SBOMs) and artifacts. By following this approach, vendors and producers will be able to effectively show they have implemented, not just attested to, the use of secure software development practices consistent with NIST 800-218. They will also be prepared for additional conformity assessment demands that may arise.

Conformity assessment consultants and service providers will understand this new conformity assessment landscape in a way that provides a basis for identifying potential services for this new community. An added benefit for service providers, and all attendees, is that the paradigm taught in the training can be used to quickly understand any conformity assessment community, landscape, or opportunity.

Will this new conformity assessment community be limited to federal agencies and their vendors? Or will market drivers expand the community to include parts or all of private sector software users? ANAB training will prepare participants for this new community and any future evolution of it.

A Quick Summary – Who Needs to Comply With OMB M-22-18?

Software producers and vendors must comply with the Office of Management and Budget (OMB) memorandum M-22-18 for Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. The memorandum supports Executive Order (EO) 14028, Improving the Nation’s Cybersecurity dated May 12, 2021. In the Executive Order, NIST was directed to issue guidance “identifying practices that enhance the security of the software supply chain.” The memorandum was issued to document the requirement for Federal Government agencies to comply with the guidance developed by NIST.

The memorandum states, “Compliance with the EO and NIST Guidance requires that agencies engage in appropriate planning.” Procurement and compliance personnel interacting with Federal Government agencies require a clear understanding of the conformity assessment aspects of the OMB memorandum. The memorandum presents conformity assessment concepts, ideas, and practices that will lead to choices and decisions for Federal Government agencies to make when implementing the actions required by the memorandum.

ANAB is developing a self-paced training course that will clarify what many of the terms and obligations described in the letter mean and will provide context for various service offerings related to the conformity assessment obligations, choices, and decisions that will arise. This training will provide a conceptual “map” of conformity assessment and how to navigate it by providing a conformity assessment paradigm through which this situation can be viewed to clearly understand it. Tangentially, this paradigm is applicable to understanding conformity assessment in any situation, not just for the actions required by the OMB memorandum.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.