Companies providing software to the federal government need to be prepared to attest that their software is NIST (National Institute of Standards and Technology)-compliant within the coming year. On September 14, 2022, the Director of the White House Office of Management and Budget issued a Memorandum for the Heads of Executive Departments and Agencies. Pursuant to President Biden’s Executive Order 14028, Improving the Nation’s Cybersecurity (May 21, 2021), the OMB Memo specifies that “Federal agencies must only use software provided by software produces who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.”
The Memo directs federal agencies to obtain self-attestation of NIST-compliance from software producers before using their software. A standardized attestation form will be made available. Producers may comply by posting their self-attestation publicly on their website or by including it in their proposals. If a software producer cannot attest to one or more NIST practices, then agencies are required to obtain a Plan of Action & Milestones (POA&M), documenting the practices to which the producer cannot attest and those in place to mitigate any risks. If the POA&M is satisfactory, the agency may use the software without a complete self-attestation. For critical software, agencies also have flexibility to demand artifacts, such as a Software Bills of Materials (SBOM), to demonstrate conformance with secure software development practices.
Within the next 90 days (by December 14, 2022), agencies are directed to inventory their software, with a separate inventory for critical software. Within 120 days (by January 13, 2023), agencies are to begin collecting attesting letters from providers. Attestation letters from critical software providers are to be collected within 270 days (by June 23, 2023), with the remainder collected within 365 days (by September 25, 2023).