Software Attestation & Supply Chain Security (OMB M-22-18)

Blue information security box showing the cloud and software attestation following OMB M-22-18.

President Biden issued Executive Order 14028, Improving the Nation’s Cybersecurity, on May 12, 2021 to address “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

Section 4, Enhancing Software Supply Chain Security, observed, “The development of commercial software often lacks transparency, sufficient focus on the stability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.” To address these needs the Executive Order required the National Institute of Standards and Technology (NIST) to issue guidance including standards, procedures, or criteria to strengthen the security of the software supply chain.

What Is OMB Memorandum M-22-18?

To put this guidance into practice, the Executive Order, through the Office of Management and Budget (OMB), requires agencies to procure and use software only from producers who fulfill the NIST Special Publication 800-218 Secure Software Development Framework. OMB implemented this requirement through OMB memorandum M-22-18 dated September 14, 2022. Specifically, M-22-18 requires agencies to “obtain a self-attestation from the software producer before using the software.” This requirement applies to new software as well existing software that is modified by major version changes.

OMB M-22-18 brings into existence a new and sizeable conformity assessment community. The memorandum introduces conformity assessment expectations and activities for the supply chain starting with the software producer and ending with the federal agency putting the software in to use. In addition, the OMB letter provides significant flexibility for agencies to add or substitute activities for obtaining self-attestations from producers of software.

Challenges With New Software Attestation Conformity Assessment Expectations

As a result, suppliers and vendors could face variations in conformity assessment expectations and activities from agency to agency. Agencies on the other hand will need to engage with many producers and vendors, each with their own perspective and approach regarding the self-attestations to be provided. Given that self-attestations must be obtained for every major version change for software used by an agency, conformity assessment activities in this new community will be ongoing.

OMB M-22-18 recognizes this new conformity assessment landscape and the challenges of productively working in it for all those affected. The first impacts will be felt in mid-January 2023, when OMB requires agencies to “develop a consistent process to communicate relevant requirements in this memorandum to vendors . . .”  

The requirements about which agencies must communicate certainly include the software development requirements in NIST 800-218. Clearly, agency staff will have or obtain an understanding of those technical requirements. But agencies must also communicate about the conformity assessment activities required in OMB M-22-18. How can agency staff clearly communicate about those activities?  OMB M-22-18 anticipates that concern as it also requires agencies to “assess their training needs and develop training plans” for this new conformity assessment landscape.

A Quick Summary – Who Needs to Comply With OMB M-22-18?

Software producers and vendors must comply with the Office of Management and Budget (OMB) memorandum M-22-18 for Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. The memorandum supports Executive Order (EO) 14028, Improving the Nation’s Cybersecurity dated May 12, 2021. In the Executive Order, NIST was directed to issue guidance “identifying practices that enhance the security of the software supply chain.” The memorandum was issued to document the requirement for Federal Government agencies to comply with the guidance developed by NIST.

The memorandum states, “Compliance with the EO and NIST Guidance requires that agencies engage in appropriate planning.” Procurement and compliance personnel interacting with Federal Government agencies require a clear understanding of the conformity assessment aspects of the OMB memorandum. The memorandum presents conformity assessment concepts, ideas, and practices that will lead to choices and decisions for Federal Government agencies to make when implementing the actions required by the memorandum.

Share this blog post:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.