Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Workshop on OMB M-22-18 Minimum Requirements

Workshop on OMB M-22-18 Minimum Requirements

On June 1,  NIST and OMB will host a workshop to discuss next steps for implementation of M-22-18, Enhancing the Security the Software Supply Chain through Secure Software Development Practices, the intended impact on the security of the Federal enterprise, CISA’s self-attestation common form, and the initial minimum requirements contained therein.

Attendees are encouraged to submit their questions in advance to ofcio [at] (ofcio[at]omb[dot]eop[dot]gov) by May 26.

Please note that the recording for this workshop will NOT be posted after the event. Those who wish to participate are encouraged to join the live event.

Workshop Goals:

  1. Broaden awareness of M-22-18’s scope, requirements, and vision
  2. Address common questions and provide clarification on next steps

11:00am - 1:00pm ET

Moderator: Kevin Stine, Chief, Applied Cybersecurity Division, NIST


Start Time 



Session Information 



Kevin Stine (moderator)

Mitch Herckis, OMB OFCIO; Jeremy McCrary,  OMB OFPP

Secure Software: From EO 14028 to Self-Attestation

Based on EO 14028, M-22-18 outlined OMB’s role in the identification of minimum elements from SP 800-218 to which software producers must attest. This panel will address the intent of this effort, the requirements put forward for agencies, and the development of minimum elements to which software producers must attest and submit to agencies. We will also discuss the circumstances and scope of software to which minimum elements apply and when they do not.







Yejin Jang,  OMB OFCIO;  Brian Paap, CISA C-SCRM



Next Steps and Common Questions 

M-22-18 contemplates the use of a self-attestation common form that agencies are encouraged to leverage to satisfy M-22-18 required actions. M-22-18 also speaks to the establishment of a government-wide repository for attestations and artifacts, the utilization of third-party assessor organizations such as FedRAMP, among other items. Speakers will address the expected process for satisfying M-22-18 requirements, the process by which agencies are expected to fulfill M-22-18 requirements, and provide an update on CISA’s self-attestation common form. Speakers will also answer questions received in advance of the workshop in this session.






Created May 18, 2023, Updated June 1, 2023