This is the twenty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2023.
CISA Requests Comment on Secure Software Self-Attestation Common Form
On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released a 60-day Request for Comment on a draft secure software self-attestation common form. Comments will be accepted through June 26, 2023 and may be submitted through Regulations.gov. The draft common form, developed in close consultation with the U.S. Office of Management and Budget (“OMB”), is a key step in implementation of OMB Memorandum M-22-18, which was issued pursuant to Section 4 of the Cyber EO and directs agencies to only use software that complies with Government-specified secure software development practices (the “OMB Memorandum”). Specifically, and among other requirements, the OMB Memorandum directs that software providers self-attest that the software developer follows the secure development processes described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance. The key provisions of the OMB Memorandum are discussed in more detail in our prior blog.
Scope. The OMB Memorandum applies to all software (other than agency-developed software) developed or experiencing major version changes to be operated “on the agency’s information systems or otherwise affecting the agency’s information.” CISA’s draft common form further specifies that the “following software requires self-attestation:
- Software developed after September 14, 2022;
- Existing software that is modified by major version changes […] after September 14, 2022; and
- Software to which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).”