White House reminds agencies to adopt NIST's software supply chain security framework

Gilaxia/Getty Images

The Office of Management and Budget pressed federal agencies on a deadline to adopt the software supply chain best practices as directed under last year's White House cybersecurity executive order.

Federal agencies must "immediately" adopt guidance on software supply chain security as required under the May 2021 cybersecurity executive order, the Office of Management and Budget stated on Wednesday.

For government buyers, this means starting the process of putting the Secure Software Development Framework from the National Institute of Standards and Technology into practice. Under the framework, buyers are required to obtain attestations that software products conform to certain development best practices as a way of ensuring a secure software supply chain.

"Federal agencies must begin to adopt the SSDF and related guidance effective immediately, tailoring it to the agency’s risk profile and mission, the agency said in a March 7 statement on "enhancing the security of federally procured software".

OMB is also collecting comments on implementation of the NIST framework before tasking agencies with undertaking some of the activities described in the framework.

"OMB understands vendor attestation of secure software development practices has significant implications for vendors and service providers supporting delivery. As a result, OMB will engage with the private sector on how best to implement this requirement before directing agencies to require an attestation," the statement reads.

Per the executive order, the software supply chain security requirements extends to new acquisitions and legacy software that comes up for renewal, although waivers are available. 

The development best practices named by NIST include but aren't limited to using secure development environments, using multi-factor authentication and risk-based authentication across the developer enterprise, encrypting data, and having a system in place on the developer side to log and respond to cyber incidents.

The SSDF push was launched by NIST in 2019 to provide guidance for the software industry, but it was also included as a requirement in the Biden administration's cybersecurity executive order. NIST issued guidance for government buyers in early February, and now OMB is asking agencies to get on board with the plan and to submit comments on implementation.

OMB is seeking comment on six implementation questions to get ideas on how federal agencies can best obtain attestations covering software being procured and whether those attestations need to come from the original developer, another purchaser or a third-party. 

OMB wants responses from stakeholders by March 18. The agency will also host a public workshop on March 23 about implementation of the SSDF framework.