Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Software Security in Supply Chains: Attesting to Conformity with Secure Software Development Practices

NIST’s attestation guidance in response to Section 4(e) outlined minimum recommendations that software purchasers should require of suppliers. That guidance was subsequently codified into the Office of Management and Budget (OMB) Memorandum M-22-18 and instructs federal acquirers to ensure that “software producers have implemented and will attest to conformity with secure software development practices.”[1] The minimum elements for self-attestation in M-22-18 include:

  • The software producer’s name
  • A description of which product or products the self-attestation statement refers to
  • A statement attesting that the software producer follows secure development practices, as prescribed in NIST Guidance

Similar to Section 4(e)’s recognition that there are instances in which “minimum practices will not be sufficient,”[2] M-22-18 indicates that agencies may obtain additional artifacts (e.g., SBOMs, evidence of participation in vulnerability disclosure programs) based on criticality and other risk-based considerations, as determined by the agency. [3] SP 800-161r1 outlines such risk-based considerations for determining the appropriate degree of attestation from suppliers. Examples of risk-based considerations that may demand more robust attestation include:

  • Prospective suppliers under FOCI, as outlined in Appendix E of SP 800-161r1 (e.g., a supplier or its component suppliers have headquarters; research; development; manufacturing, testing, packaging, distribution, or service facilities; or other operations in a foreign country, including a country of special concern or a foreign adversary)
  • Suppliers who provide mission-critical, life safety, homeland security, critical infrastructure, or national security functions or an interdependency with another covered entity that performs such functions
  • Suppliers who support high value assets or a critical system component and that have been assessed by the agency to have a risk that is high relative to the use case; assessed risk impact may or may not extend outside of the agency
  • Suppliers who require the ability to access controlled unclassified information (CUI) or classified information
  • Suppliers who represent a single source of supply with limited availability of or acceptable alternatives to the product, service, or source
  • Suppliers who are frequently associated with foreign adversary tactics, techniques, and procedures (TTPs); security alerts; or threat intelligence reports

In these scenarios, federal agencies should consider enhancing attestation beyond the minimum recommended practices outlined in NIST’s Section 4(e) guidance and the requirements enumerated in OMB’s M-22-18. Examples of enhanced attestation capabilities include:

  • Supplier certifications, site visits, and/or third-party assessment and attestation
  • Higher frequency and/or continuous monitoring of supplier adherence to attestation commitments
  • Collection and review of lower-level artifacts, including functional and technical security controls
  • Higher fidelity SBOMs, including a vendor vulnerability advisory report (VAR) at the component level

Federal agencies that seek more comprehensive attestation capabilities in higher risk scenarios should reference the evolving standards, tools, and practices guidance and Appendices D and E of SP 800-161r1.

  --------------

[1] Office of Management and Budget. (2022). Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.
[2] National Institute of Standards and Technology. (2022). Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e
[3] OMB also issued M-23-16, Update to Memorandum 22-28, which provides timelines for the collection of attestations. This memorandum provides supplemental guidance on the scope of M-22-18’s requirements and agencies’ use of POA&Ms when a software producer cannot provide the required attestation but plans to do so. In addition, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released the Secure Software Development Form and Instructions.


Content:

Created May 3, 2022, Updated November 1, 2024