This is the twenty-first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through December 2022. This blog describes key actions taken to implement the Cyber EO during January 2023.
GSA Announces That It Will Require Software Vendors to Submit Letters of Attestation Beginning in June 2023.
On January 11, 2023, the General Services Administration (“GSA”) Senior Procurement Executive and Chief Information Officer jointly issued Acquisition letter MV-23-02, “Ensuring Only Approved Software Is Acquired and Used at GSA” (the “GSA letter”). The GSA letter establishes a June 12, 2023 effective date for implementing the secure software acquisition requirements of Office of Management and Budget (“OMB”) Memorandum M-22-18, issued pursuant to Section 4 of the Cyber EO. That OMB memorandum directs that agencies must only use software that complies with Government-specified secure software development practices. These practices include obtaining self-attestations of conformity with secure software development practices and in certain cases as determined by agencies, artifacts such as Software Bills of Materials (SBOMs) from software vendors to verify that the acquired software[1] was developed and produced according to NIST security guidelines and best practices.
The GSA letter directs GSA’s IT officials to update GSA’s policies by June 12, 2023 to reflect the process for collecting, renewing, retaining, and monitoring the self-attestation information mandated by OMB M-22-18. For existing contracts that include the use of software, the GSA letter directs GSA IT to provide an internally accessible list of the software used for each contract and to collect vendor attestations by June 12, 2023. For new contracts that include the use of software, the GSA letter directs the relevant acquisition teams to modify the acquisition planning process to ensure that performance of such contracts begins only after the requisite attestations have been collected and considered. Finally, with respect to GSA-administered Government-wide indefinite delivery vehicles (e.g., Federal Supply Schedule contracts, Government-Wide Acquisition Contracts, and Multi-Agency Contracts), the GSA letter directs GSA contracting activities to allow, but not require, contractors to provide attestations at the base contract level rather than the task or delivery order level, and to make those attestations available to ordering activities to the extent possible. With this said, the GSA letter specifies that ordering agencies will ultimately be responsible for complying with OMB M-22-18.
The GSA letter notes that the FAR Council has opened FAR Case 2023-002 to issue a proposed and final rule implementing Cyber EO software security requirements similar to those imposed by OMB M-22-18. (The Open FAR Cases Report states that a notice of proposed rulemaking under this case is expected to be issued in June 2023, with a final rule expected in September 2023). The GSA letter states that once this rule is finalized, “relevant GSA acquisition policy…may be updated to further implement the FAR rule.” This statement makes clear GSA’s intent to proceed with requiring and gathering secure software attestations from vendors even in the absence of a FAR provision requiring such attestations.
NIST Updates Guidance for Implementing Zero Trust Architecture
On January 6, 2023, NIST’s National Cybersecurity Center of Excellence (“NCCoE”) released a bulletin requesting comment on its second version of volumes A-D and the first version of volume E of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture.” NIST sought the public’s comments on the contents of this practice guide. In a statement accompanying the release of the draft volumes, NCCoE stated that the guidance reflects industry input and is intended “to demonstrate several approaches to a zero-trust architecture applied to a conventional, general-purpose enterprise IT infrastructure on-premises and in the cloud.”[2] The draft guidance identifies milestones for implementing the elements of zero-trust architecture, including milestones for limiting insider threats, conducting real-time and continuous monitoring and logging, and performing risk-based assessments.
[1] OMB M-22-18 defines “software” to include “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”
[2] The public comment period ended on February 6, 2023.