NIST’s attestation guidance in response to Section 4(e) outlined minimum recommendations that software purchasers should require of suppliers. That guidance was subsequently codified into the Office of Management and Budget (OMB) Memorandum M-22-18 and instructs federal acquirers to ensure that “software producers have implemented and will attest to conformity with secure software development practices.”[1] The minimum elements for self-attestation in M-22-18 include:
Similar to Section 4(e)’s recognition that there are instances in which “minimum practices will not be sufficient,”[2] M-22-18 indicates that agencies may obtain additional artifacts (e.g., SBOMs, evidence of participation in vulnerability disclosure programs) based on criticality and other risk-based considerations, as determined by the agency. [3] SP 800-161r1 outlines such risk-based considerations for determining the appropriate degree of attestation from suppliers. Examples of risk-based considerations that may demand more robust attestation include:
In these scenarios, federal agencies should consider enhancing attestation beyond the minimum recommended practices outlined in NIST’s Section 4(e) guidance and the requirements enumerated in OMB’s M-22-18. Examples of enhanced attestation capabilities include:
Federal agencies that seek more comprehensive attestation capabilities in higher risk scenarios should reference the evolving standards, tools, and practices guidance and Appendices D and E of SP 800-161r1.
--------------
[1] Office of Management and Budget. (2022). Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.
[2] National Institute of Standards and Technology. (2022). Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e.
[3] OMB also issued M-23-16, Update to Memorandum 22-28, which provides timelines for the collection of attestations. This memorandum provides supplemental guidance on the scope of M-22-18’s requirements and agencies’ use of POA&Ms when a software producer cannot provide the required attestation but plans to do so. In addition, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released the Secure Software Development Form and Instructions.
Content: