<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

The U.S. government has announced a new mandate for government agencies requiring them to purchase software only from providers who can attest that their software was developed in compliance with the NIST Secure Software Development Framework (SSDF). 

Some dates for compliance have already passed

In memorandum M-22-18, the government outlines dates by which agencies will need to collect self-attestations from their vendors. The direct follow-up memorandum M-23-16 adjusted the initial proposed datesthe end of 2023 for critical software and early 2024 for all other software.

Self-attestation is required for all software suppliers

Going forward, federal agencies will only be able to buy software from providers who can attest to complying with the NIST software supply chain security guidance

Guidelines are likely to be expanded

It is reasonable to expect that this requirement will extend to all software in use by federal agencies, including in-house software built on open source.

How Tidelift can help

Watch a demo to learn how Tidelift can help your organization comply with attestation requirements for the open source components in your agency’s software supply chain


Tidelift helps government agencies and their suppliers complete the NIST self-attestation requirements for the open source dependencies in your applications (which in many codebases makes up 75% or more of the code).

The Tidelift Subscription is a complete solution for managing open source, including the tools, data, and strategies you need to minimize open source software security risks.

Tidelift pays the maintainers behind thousands of the most commonly used open source packages to attest their projects are developed using secure software development practices. Our subscription includes:

The only source for first-hand attestation data from the maintainers behind thousands of open source packages that go into your software, aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards.

A standardized attestations report, to be used as evidence that the open source dependencies in your organization’s applications follow secure software development best practices.

A solution for dynamically tracking attestations for open source components going into your product, and keeping these attestations current automatically.

Tidelift named Gartner® Cool Vendor™