The White House released guidance Wednesday as an extension of a cybersecurity-focused executive order President Biden signed last year.
Biden signed "Improving the Nation's Cybersecurity" on May 12, 2021, outlining plans to modernize the United States' cybersecurity posture and implement technologies like multifactor authentication. One piece of the order referenced plans to provide guidelines for the software purchased and deployed within government networks; Wednesday's memorandum comprises these guidelines.
In a statement posted to the White House website, Federal CISO and Deputy National Cyber Director Chris DeRusha said that while the only criteria of quality for a piece of software used to be whether it worked or not, technology today must be developed in a way that is resilient and secure.
"The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered," he said.
Biden's cybersecurity guidance requires that before using new software, federal government agencies must obtain a self-attestation form from the software producer confirming that the product is compliant with security guidance from NIST. This guidance is referenced in the executive order and includes NIST's Secure Software Development Framework and Software Supply Chain Security Guidance.
Depending on the agency, the software producer might also be required to prove compliance through artifacts such as a software bill of materials. In addition, the producer might be required to provide evidence that it participates in a vulnerability disclosure program.
Though the executive order and guidelines do not legally compel private vendors to release secure, compliant software, DeRusha said action was necessary in the wake of the SolarWinds supply chain attack in 2020, which led to breaches at several federal agencies.
"This incident was one of a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector," DeRusha said in his statement.
The U.S. government is a massive software purchaser. At Black Hat 2022 last month, former Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs referred to the Department of Defense as "likely the largest customer of most of the big tech firms."
The White House gave federal agencies 90 days from the publishing of the memorandum to inventory relevant software subject to the aforementioned requirements, 120 days to develop a process to communicate requirements to the relevant software producers, 270 days to collect letters of attestation from software producers not posted publicly for "critical software" and 365 days to collect letters of attestation for all other software.
Specific instructions were also given to CISA and the Office of Management and Budget (OMB). OMB will, within 180 days and in collaboration with CISA as well as the General Services Administration, "establish requirements for a centralized repository for software attestations and artifacts, with appropriate mechanisms for protection and sharing among Federal agencies."
Separately, CISA will also create various guidance and processes to support the aforementioned software compliance requirements.
The White House has not responded to TechTarget Editorial's request for comment at press time.
Alexander Culafi is a writer, journalist and podcaster based in Boston.