Federal agencies must now comply with a National Institute of Standards and Technology framework on secure software development.
The Office of Management and Budget said Monday that “effective immediately” agencies must take action to adopt NIST’s new guidelines when procuring software.
President Biden’s May 2021 executive order on cybersecurity called for NIST to issue such guidance for agencies to more securely navigate the software supply chain, presenting “a set of practices that create the foundation for developing secure software.” The standards agency issued that guidance, along with its Secure Software Development Framework, Feb. 4, starting a 30-day window within which OMB would need to require agencies’ compliance with it.
That 30-day window expired Monday. “As such, Federal agencies must begin to adopt the SSDF and related guidance effective immediately, tailoring it to the agency’s risk profile and mission,” OMB said in a release.
Per NIST, the framework is “a set of fundamental, sound, and secure software development practices based on established secure software development practice documents” that is meant to “help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences.”
While agencies must begin the new framework and guidance, “tailoring it to the agency’s risk profile and mission,” OMB will not yet jump fully into requiring agencies to attest to vendors’ software security, it said.
“OMB understands vendor attestation of secure software development practices has significant implications for vendors and service providers supporting delivery,” OMB said. “As a result, OMB will engage with the private sector on how best to implement this requirement before directing agencies to require an attestation.”
The agency later in March will host a public workshop that it intends to be “forward looking, focusing exclusively on best practices for implementing the SSDF, and approaches for attesting to secure software development practices.” In anticipation of that, OMB and NIST are asking for industry feedback through a set of implementation questions to inform additional discussions.