New Federal Compliance Requirements for Software Security — Explanation, Impact, and Areas of Concern
In 2020, hackers broke into the networks of the Treasury and Commerce departments as part of a months long global cyberespionage campaign. It happened after malware was slipped into a SolarWinds software update — a popular piece of software used by multiple U.S. federal agencies.
As expected, the incident prompted the Federal government to update its software security requirements. In this blog post, we’ll review the new federal compliance requirements — “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” — and discuss the impact of this change.
An Explanation of Changes
The updated guidance from the Office of Management and Budget (OMB) represents a commitment to furthering the maturity of the Federal government’s approach to supply chain risk management. It builds on other recent initiatives from the Biden administration, including the federal zero trust strategy.
The guidance represents an attempt to ensure security in open-source software to protect federal data. The OMB memo requires agencies to ensure their software is developed in line with two documents published earlier this year by the National Institute of Standards and Technology (NIST):
- Secure Software Development Framework (SSDF)
- Software Supply Chain Security Guidance
Currently, instead of a third-party audit, agencies only need to obtain a self-attestation from the software producer that the vendor follows the NIST practices. If software vendors don’t meet all of the NIST practices, agencies may accept a “plan of action and milestones” from the vendor outlining how they will update their cybersecurity practices to meet the NIST practices.
The Impact of Federal Compliance Updates
This guidance impacts software producers who service the Federal government. The guidance must be applied to all software developed in the future, as well as any updates to existing software used by the Federal government.
As such, we will see a trickle-down effect into federal contracts that procure or use vendor software solutions — especially in the cloud. Contracts will include more stringent cybersecurity protocols to meet the requirements within the memo.
Areas of Concern
While we applaud the evolution of federal compliance standards and government cybersecurity protocols, we do see two main areas of concern with the new guidance: the software bill of materials, and the acceptance of a self-attestation.
Software Bill of Materials (SBOM)
As part of the new requirements, federal agencies have 90 days to inventory all third-party software. After that, agencies must communicate relevant requirements to vendors and collect attestation letters.
This is easier said than done. Maintaining an accurate and current inventory of software and hardware has always been an issue, especially for enterprise-level organizations. Now, there will be greater scrutiny of this inventory management. We anticipate logistical issues getting this off the ground that could delay the implementation of these new software security requirements.
The memo allows agencies to accept a self-attestation from software vendors, attesting to the vendor’s adherence to NIST frameworks. Unfortunately, that hasn’t always worked well in the past.
You may recall that the Defense Federal Acquisition Regulation Supplement (DFARS) allowed DoD contractors and subcontractors to self-attest to their adherence to NIST SP 800-171. After auditing a handful of contractors, the DoD realized too many deficiencies within these organizations that self-attested to their NIST compliance. To mitigate this issue, the DoD updated DFARS to introduce the Cybersecurity Maturity Model Certification (CMMC). This included a certification process via CMMC Third Party Assessment Organizations (C3PAOs) that replaced the self-attestations.
We anticipate similar issues will arise with this new OMB guidance. It’s likely that self-attestation is just an initial step to help get this program off the ground. In the future, these new compliance requirements may eventually roll into an existing federal cybersecurity framework that requires independent validation.
How You Should Approach Federal Compliance
If you are a software vendor servicing the Federal government, you should expect to see more stringent cybersecurity requirements trickle into your government contracts. To prepare — and eliminate the risk of losing your existing government contracts — it’s best to pursue federal assessments and compliance initiatives that attest to your cybersecurity maturity. These may include:
- NIST 800-171 assessment to evaluate your company’s controls against the published controls of NIST 800-171.
- FISMA certification to help your company to develop, document, and implement an information security and protection program.
- CMMC certification (relevant for DoD contracts).
- FedRAMP authorization.
A-LIGN can help meet all of your federal compliance needs. Contact our experts today to learn more.