The Office of Management and Budget on Wednesday issued new guidelines that require all federal agencies to buy and use only software that complies with development and security processes approved by the federal government.
“Federal agencies must only use software provided by software producers who can attest to complying with the government-specified secure software development practices, as described in the NIST Guidance,” OMB Director Shalanda Young said in a memo.
NIST, the National Institute of Standards and Technology, laid out principles in February for so-called secure software development that companies can use to assess whether various components that go into assembling complex software are safe and free of bugs or backdoors that could allow hackers to penetrate systems.
Under the OMB guidelines, officials overseeing technology purchases at federal agencies must obtain from software vendors a self-attestation that companies have adhered to the security steps developed by NIST.
Federal agencies may also require a software bill of materials from vendors when they ask for bids for critical projects. Such a bill of materials would list all the components in the final software and the makers of those components.
Within 90 days, all federal agencies must prepare an inventory of their software and within six months agencies must ask vendors to attest that their software was developed using secure processes.
The OMB memo said the Cybersecurity and Infrastructure Security Agency would establish a standard attestation form. CISA would also set up a government-wide repository where all agencies can store the attestation forms submitted by software vendors.
“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” Chris DeRusha, the federal chief information security officer, said in a statement. “With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure.”
“This is not theoretical,” DeRusha said. “Foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure.”
BSA | The Software Alliance, a trade group representing major companies including Microsoft, IBM, Intel and others, welcomed the new rules.
“BSA is pleased to see OMB’s guidance includes many of the best practices” in the group’s recommendations from 2019, Henry Young, director of policy for the group, said in an email. “We advocated that this guidance place similar secure development requirements on software developed by the U.S. government and will continue to support more deliberate and consistent requirement across the federal enterprise in future iterations.”
The new guidelines follow President Joe Biden’s May 2021 executive order that called for improving the federal government’s cybersecurity practices after a cyberattack mounted by Russian intelligence operatives on a software vendor exposed several major Cabinet agencies.
“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” Biden’s executive order said.
In December 2020, cybersecurity research firm FireEye revealed that network management software made by Texas-based SolarWinds was breached, potentially exposing as many as 18,000 of the latter company’s clients.
In-depth assessments revealed that about 100 of those clients were affected, the company has said.
U.S. officials later said the attack was carried out by Russian intelligence operatives who broke into a software update process used by SolarWinds and used that to gain access to company clients that had unwittingly installed the tainted software update.
In the immediate aftermath of the attack, U.S. officials asked all federal agencies using SolarWinds to disconnect the software and rebuild their computer operating systems.