The White House issued a memorandum that requires each federal agency to comply with the NIST Guidance when using third-party software on the agency’s information systems and to inventory all software subject to its requirements within 90 days.
As part of the new guidance that follows the executive order “Improving the Nation’s Cybersecurity” issued in May last year, federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices. Otherwise, a third-party assessment can be provided by a certified FedRAMP Third Party Assessor Organization (3PAO) or one approved by the agency.
Also, a Software Bill of Materials may be required by the agency in solicitation requirements, based on how critical the software is The SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report “The Minimum Elements for a Software Bill of Materials (SBOM).”
Agency CIOs will need to assess training needs and develop training plans for the review and validation of software attestations and artifacts within 180 days.
“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised. With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries,” Chris DeRusha, federal chief information security officer and deputy national cyber director, wrote on the White House website. “The guidance released today will help us build trust and transparency in the digital infrastructure that underpins our modern world and will allow us to fulfill our commitment to continue to lead by example while protecting the national and economic security of our country.”The executive order aims to implement a zero trust strategy, improve detection and responses to threats, and gain the ability to quickly recover from cyber-attacks within government agencies as part of a larger enterprise cybersecurity and information technology (IT) modernization plan, according to DeRusha.