This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through May 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during June 2023.
NIST Hosts Workshop on Common Attestation Form
On June 1, 2023, NIST hosted a workshop on OMB M-22-18 Minimum Requirements for secure software self-attestations pursuant to Section 4 of the Cyber EO. The workshop included two panels with speakers from OMB and CISA.
During the workshop, OMB announced that the deadline for self-attestations had been extended and this was confirmed in a June 9, 2023 follow up OMB Memorandum (see below). OMB representatives also noted that they anticipate the Common Form will be finalized this Fall or Winter.
Additionally, OMB representatives acknowledged that some agencies had already issued their own self-attestation forms and guidance earlier this year (e.g., NASA and GSA), but stated that they expect that these agencies may make some changes to the attestation process based on OMB’s updated timeline. OMB representatives reiterated that although agencies are free to supplement the common form issued by CISA with additional requirements, they understood that most agencies did not intend to differ much from the common form. If an agency chooses to forgo the common form and create its own form entirely, OMB representatives explained that the agency would need to follow the full Paperwork Reduction Act process.
OMB representatives confirmed that they are working on creating a central repository for self-attestation forms. Contractors would be able to upload their attestations to the central repository, and agencies would be able to access the repository. They noted that one goal of the repository is to avoid duplicative asks of contractors. This repository is still a work in progress, and until it is complete, agencies will need to collect self-attestation forms from contractors directly.
OMB representatives confirmed that contractors will be able to use a POA&M if they are unable to attest to implementing all of the requirements identified in the self-attestation form. Contractors will not be allowed to do a partial self-attestation. OMB representatives stated that it was unlikely that a template POA&M would be created due to the unique nature of software products.
When asked about the definition of critical software, OMB representatives responded that they understood that most agencies would be using the NIST definition of critical software. They acknowledged that some vendors may not know that they had been identified as critical. They encouraged vendors to reach out to agencies to discuss but did not provide more guidance.
When asked whether OMB anticipated any guidance or memorandum that would standardize the SBOM process, the OMB representatives responded that they were considering such an approach, but more time was needed. They reiterated that SBOMs are not part of the minimum requirements at this time, but SBOMs could be incorporated as a minimum requirement in the future.
Finally, the OMB representatives stated that they thought it would make practical sense for companies to self-attest for the entire company if possible, instead of on a product by product basis.
OMB Issues M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices”
On June 9, 2023, OMB published M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (“June 2023 Update”). M-22-18, published in September 2022, mandates that to use software, agencies must first obtain a self-attestation from software providers that the software developer follows the secure development processes described by NIST Secure Software Development Framework (“NIST SP 800-218”) and the NIST Software Supply Chain Security Guidance. CISA released a draft self-attestation form in late April that largely tracks the NIST standards, but the form has not yet been finalized. The June 2023 Update provides several significant updates and clarifications to the self-attestation process.
First, the timeline by which agencies must collect attestations or POA&Ms is extended, as the final form for attestation is not yet available. The new deadlines for agencies to collect attestations are three months after CISA and OMB finalize the common form for critical software and six months after for all other software.
The June 2023 Update provides that agencies will only need to collect the attestations from the prime contractor, though this puts the burden on prime contractors to ensure they can provide the attestation with respect to the entire software end product, including with respect to the integration of components that may be developed by subcontractors or other third parties.
Moreover, the June 2023 Update states that agencies are not required to collect an attestation for open source software, including software that is proprietary but feely obtained and publicly available. Additionally, agencies are not required to collect an attestation for agency-developed software, which is software that the contracting agency has sufficient control over that the agency itself is able to ensure the secure software development practices are followed throughout the entire software development lifecycle. The memorandum further clarifies that agency CIOs are required to make the determination of whether a software can be considered agency-developed.
Where a contractor submits a POA&M instead of an attestation of current compliance, the June 2023 Update noted that the contractor must identify the specific practices to which it cannot attest and document the practices it has in place to mitigate associated risks. The agency may continue to use the software if it finds the POA&M satisfactory, but must also provide the POA&M to OMB and seek OMB’s approval for an extension of the attestation requirement.
CISA Hosts an SBOM-a-rama
On June 14, 2023, CISA hosted an “SBOM-a-rama” to discuss the current state of Software Bill of Materials (“SBOM”) and next steps. Sessions covered sector specific SBOM work as well as generally applicable concerns about SBOMs, like the sharing and exchanging of SBOMs and how to implement an SBOM.
One of the speakers at the SBOM-a-rama was Shon Lyublanovitz, the leader of CISA’s cyber supply chain risk management (C-SCRM) program office, which is responsible for reviewing and responding to the comments on CISA’s proposed common self-attestation form. In response to a question regarding why there was no mention of SBOMs in the common form, Ms. Lyublanovitz stated that OMB wants to take a “crawl, walk, run” approach and therefore decided not to include a requirement for SBOMs in the proposed common form. She noted, however, that agencies can ask for SBOMs if they want to. She also noted that provenance is mentioned in the SSDF in the context of third-party software code, and invited comments on how stakeholders planned to address this requirement.
Following the SBOM-a-rama, CISA officials distributed to the participants a draft of “SBOM FAQs” that consisted of approximately 30 pre-existing or revised questions and answers as well as nine new questions and answers. These officials invited comments on the new and modified FAQs. When finalized, CISA intends to post the FAQs on its website as a resource for the SBOM community.
CISA Receives Comments on the Secure Software Development Attestation Common Form
As discussed above, on April 27, 2023, CISA released a 60-day Request for Comment on its draft secure software development attestation common form, which was developed in close consultation with OMB. The Request for Comment stated that CISA would accept comments through June 26, 2023. While the comment period deadline has passed, organizations and others have continued to submit comments. As of June 28, 2023, CISA had received 110 comments on the draft common form, including from major trade industry groups and coalitions. The comments have raised various points and concerns regarding the draft common form, including (but not limited to):
- Mapping Inconsistencies – Some comments stated that the common form’s requirements are inconsistent with NIST SP 800-218.
- Verification Evidence and Artifacts – Some comments stated that the common form did not provide guidance regarding artifacts that agencies may require as part of the attestation process.
- Scope of “Software” – Some comments have raised concerns and questions about the scope of the definition of “software” under OMB Memorandum M-22-18, including whether the requirements are intended to apply to commercially available off-the-shelf products, Internet of Things (“IoT”) devices, and hardware products that may contain software and connect to government information systems.