OMB reverses Biden-era software attestation order
da-kuk/Getty Images
A new executive branch memorandum instead allows agencies to lean on software bills of materials, or SBOMs, in lieu of a universal attestation framework.
The White House on Friday rescinded a 2022 order that mandated a single, standardized self-attestation form for federal agencies to obtain cybersecurity assurances from software vendors, arguing the policy hindered agencies from adopting security solutions for their specific system needs.
“There is no universal, one-size-fits-all method of achieving that result,” Office of Management and Budget Director Russ Vought said in the memo released Friday. “Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment.”
Former President Joe Biden signed the landmark Executive Order 14028 in May 2021, which led to the issuance of the original memo. The directive was meant to respond to the massive SolarWinds intrusion campaign that compromised multiple federal agencies.
A software attestation is typically a statement from a vendor outlining the security controls and development practices used to build a software product. It can assist government customers in understanding their exposure to supply-chain risk and clarify responsibility when vulnerabilities or breaches emerge.
The “unproven and burdensome” process “diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware,” the new Vought memo says.
Agencies should still maintain a complete inventory of software and hardware and develop software and hardware assurance policies and processes that match their risk determinations and mission needs, it adds.
Agencies can still use the government-wide attestation form developed under the Biden-era memo but “may also choose to adopt contractual terms that require a software producer to provide a current software bill of materials (SBOM) upon request,” it reads.
An SBOM serves as a software recipe list that inventories components used in the development and deployment of software, and can help cyberdefenders peer into vulnerable or compromised parts of a product.
“By encouraging a modern approach that recommends SBOMs on demand, the White House is aligning with the fact that software is dynamic and always changing,” said Mitch Herckis, global head of public affairs at cloud security firm Wiz and a former director in the White House Office of the Chief Information Officer. “This is a smart approach to tackling security in the modern software era.”