NIST’s attestation guidance in response to Section 4(e) outlines four minimum recommendations that software purchasers should require from suppliers. The guidance recognizes that there are instances in which “these minimum practices will not be sufficient” due to agency-specific risk-based considerations.
SP 800-161, Rev. 1. outlines an array of such risk-based considerations that federal agency acquirers should consider when determining the appropriate degree of attestation from suppliers. Examples of risk-based considerations that demand more robust attestation include:
- Prospective suppliers under Foreign Ownership, Control, or Influence (FOCI), as outlined in Appendix E of SP 800-161, Rev. 1 (e.g., a supplier or its component suppliers have headquarters; research; development; manufacturing, testing, packaging, distribution, or service facilities; or other operations in a foreign country, including a country of special concern or a foreign adversary)
- Suppliers who provide mission-critical, life-safety, homeland security, critical infrastructure, or national security functions or an interdependency with another covered entity performing or essential to such functions
- Suppliers who support high value assets or a critical system component and that have been assessed by the agency to have a risk that is high relative to the use-case; assessed risk impact may or may not extend outside of the agency
- Suppliers who require the ability to access controlled unclassified information (CUI) or classified information
- Suppliers who represent a single source of supply with limited availability of (or acceptable alternatives to) the product, service, or source
- Suppliers who are frequently associated with foreign adversary tactics, techniques, and procedures (TTPs); security alerts; or threat intelligence reports
In these scenarios, federal agencies should consider enhancing attestation beyond the four minimum recommended practices outlined in Attesting to Conformity with Secure Software Development Practices guidance. Examples of enhanced attestation capabilities include:
- Supplier certifications, site visits, and/or third-party assessment and attestation
- Higher frequency and/or continuous monitoring of supplier adherence to attestation commitments
- Collection and review of lower-level artifacts, including functional and technical security controls
- Higher fidelity SBOMs, including vendor vulnerability disclosure reports at the component level
Federal agencies seeking more comprehensive attestation capabilities in higher risk scenarios should reference the evolving standards, tools, and practices guidance and Appendices D and E of SP 800-161, Rev.1.