Government open source cybersecurity resource center

The Office of Management and Budget (OMB) guidance in M-22-18 is a direct follow-up to White House Executive Order 14028. It formalizes the NIST guidance provided in the NIST Secure Software Development Framework and NIST Software Supply Chain Security Guidance documents as the government requirements for developing secure software, and mandates federal government agencies comply with these guidelines. It also sets aggressive deadlines for compliance, both for the agencies themselves and for organizations that provide software to these agencies.

What you need to know

Any organization that sells software to the government will be required to self-attest that their software complies with the NIST guidelines as soon as June 2023 (for critical software). In addition:

• Going forward, federal agencies must only use software provided by software producers who can attest to complying with the NIST guidance.
• Agencies will be required to obtain a self attestation from all software providers by June 2023 for critical software and September 2023 for all other software.
• Self-attestation is the minimum level required, but some agencies may make risk-based determinations that a third-party assessment is required due to the criticality of the software.
• Some U.S. agencies will require software producers to provide a software bill of materials (SBOM) and documented processes to validate code integrity.

What is an attestation?

Attestation is the “issue of a statement, based on a decision, that fulfillment of specified requirements has been demonstrated.”

In this case, organizations selling software to the government will be required to self-attest that they conform with all of the secure software development standards outlined in the NIST guidelines.

Source: Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e

The White House issued Executive Order 14028 on Improving the Nation’s Cybersecurity in May 2021 in response to increasing digital threats like the one that impacted SolarWinds and its customers.

This order set in motion many of the other US government efforts to improve cybersecurity that are highlighted in detail on this page. It had many elements that specifically impacted organizations developing applications with open source, and set timelines for more detailed guidelines that are now beginning to emerge from NIST and the OMB.

What you need to know

Executive Order 14028 has numerous provisions that organizations using open source to develop applications should understand. At a high level, it states that organizations will need to begin to attest to the health, security, and provenance of the open source components that go into their applications. Among other stipulations, it recommends that organizations:

• Maintain accurate and up-to-date data of their software code, components, and controls on internal and third-party software components, tools, and services present in software development processes, and perform audits and enforcement of these controls on a recurring basis.
• Provide purchasers with a software bill of materials (SBOM) for each product directly or publish it on a public website.
• Ensure and attest, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.