OMB Issues New Guidance on Software Attestation
In February, we informed you about a United States Office of Management and Budget (OMB) memorandum, M-22-18, that required federal agencies to comply with the guidelines regarding ensuring the safety and integrity of third-party software on federal information technology systems. This memorandum applied to the use of firmware, operating systems, applications, cloud-based software, and general software.
Since February, there have been a few developments on this front, and we wanted to provide you with the latest information on the self-attestation process and make you aware of some key dates that will impact your company. On June 9, the OMB released memo OMB M-23-16 . This memo outlines these new dates as well as the recent adjustments to the alternatives to attestation.
Key Dates to Know:
Deadline Extended!
The deadline for collecting forms from software providers has changed. Previously, federal agencies had until June 11 to collect the forms from providers of critical software and until Sept. 14 from providers of non-critical software.
This has been extended and agencies are now required to collect self-attestation forms from critical software providers three months after the final common form is approved by OMB, under the Paperwork Reduction Act (PRD). In addition to collecting the forms from critical software providers, agencies also must collect self-attestation forms for all software providers six months after the final common form is approved by OMB, under the PRD. The common form clarifies the baseline software security standards for government procurement and outlines the minimum secure software development requirements a software producer must attest to meeting.
Alternatives to Attestation:
The self-attestation form also provides an alternative to self-attestation. As an alternative to self-attestation, a software provider may engage a certified FedRAMP third-party assessor organization (3PAO) to confirm that its software complies.
Open Period for Comment:
On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a 60-day Request for Comment on a draft version of the secure software self-attestation common form. The request for comments is open until June 26, 2023. Contract holders wishing to provide feedback can do so at Regulations.gov.
We encourage our Contract Holders to become familiar with these requirements and to provide industry comments on the draft attestation common form.
NITAAC Is Here for You
As more information is provided, NITAAC will be sure to keep you apprised of any changes in the timeline or other deliverables that will have a direct impact on your businesses. To read the Executive Order, visit https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity. To learn more about the OMB Memo, visit https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf.