The White House released new guidance this week ordering federal agencies to create a full inventory of the software they use within 90 days.
In a letter to all heads of executive departments and agencies, White House Office of Management and Budget (OMB) director Shalanda Young said a wide-ranging cybersecurity executive order handed down last May by President Joe Biden directed the National Institute of Standards and Technology (NIST) to publish guidance on how the agencies can better protect government systems through more secure software.
Now that NIST has finished creating its guidance, the OMB wants all agencies to implement it for any third-party software used with an organization’s computer systems. The rules do not apply to software developed by agencies themselves.
One of the key tenets of the NIST guidance is having agencies ask the producers of software to show they have followed a “risk-based approach for secure software development,” and agencies are now banned from using software that does not comply with the NIST guidelines.
The software vendors will need to send agencies a “self-attestation” letter about the product’s security features, recent changes and more. The vendors also have to attest to following “secure development practices.”
In addition to the 90-day deadline for creating an inventory of all software used, agency chief information officers have 120 days to build out a process for communicating the new requirements to software vendors. Within 270 days, agencies need to collect letters from vendors about “critical” software. Agencies will need to have letters from vendors about all software — critical and otherwise — by next September.
The letter gives agency CIOs one more task: they have six months to train employees to validate what the software companies claim in their letters. Any extensions to the timelines need to be applied for within 30 days of the deadline.
Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, said it is important for agencies to embark on this process because they handle “everything from tax returns to veteran’s health records.”
DeRusha specifically cited the SolarWinds scandal as one of the reasons why the effort was paramount for agencies, noting that the 2020 incident saw several federal agencies and corporations compromised by malicious code that was added into SolarWinds software.
The small change created a backdoor into the digital infrastructure of federal agencies and private sector companies.
“This incident was one of a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector,” DeRusha said.
He added that the goal of the effort is to ensure that “millions of lines of code that underpin Federal agencies’ work are built with industry security standards in place.”
Young, the OMB director, said these tasks are part of a larger effort to get agencies to regularly use NIST guidance when choosing what software to use.
Young also outlined a process where the “self-attestation” letters from vendors can be supplemented or replaced by a third-party assessment provided by a federally-certified organization or government agency.
The letter to agencies adds that they can require a Software Bill of Materials (SBOMs) — an ingredient list of parts that make up a piece of software.
In recent months, the Cybersecurity and Infrastructure Security Agency (CISA) has led an industry-wide push to make SBOMs a common part of releasing any piece of software, with the hope that the practice will make it easier to find potentially vulnerable features. Cybersecurity experts and lawmakers say that SBOMs would make it easier for organizations to deal with issues like the Log4j vulnerability uncovered in December 2021, because it would help identify whether they’re at risk and how to mitigate the threat.
OMB is working with CISA and the General Services Administration to create a centralized repository for software attestations. CISA was also given a range of tasks to complete over the next year that include creating some of the guidelines agencies will need to follow going forward.