New: Secure Software Development Requirements

Secure software development requirements are coming rapidly for federal contractors.

Last year’s Executive Order called for securing the government’s software supply chain in the wake of the Solar Winds breach.  There have been several initiatives to implement this directive, as well as parallel efforts in Congress.

On September 14^th, 2022, the Office of Management and Budget issued guidance furthering this work.  Specifically, OMB is directing executive agencies to follow the guidelines published by the National Institute of Standards and Technology in two publications: the NIST Secure Software Development Framework, SP 800-218, and the NIST Software Supply Chain Security Guidance.

OMB’s directive states that “[f]ederal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.”

Pursuant to this, software producers must provide a “conformance statement” for software subject to the guidance, including renewals and major version changes.  This stricture is not absolute, however, as OMB does permit a Plan of Action and Milestones (POA&M) to serve for some of the requirements in the NIST guidance.

Agencies have 90 days from issuance to inventory all software subject to OMB’s directive, 120 days to develop a consistent process to communicate their respective requirements, and 270 days to collect attestation letters for critical software, with all letters collected within 365 days.

What does this mean for software developers?  They should immediately begin assessing their software development practices against the NIST documents.  It will take significant time to implement some of these requirements, especially if they have to work with third parties.  Their customers, both federal and commercial, will begin to ask after their compliance status soon.  They may lose customers if they are unable to comply within a year, if not sooner.

Currently, this requirement is a self-attestation.  But third-party attestations may follow shortly, and the Department of Justice already has a task force dedicated to pursuing False Claim Act cases against contractors that misrepresent cybersecurity compliance.  Congress may pass a law requiring similar or additional compliance obligations.  Developers must take these requirements seriously and develop robust compliance programs.