On May 12, 2021, President Biden issued Executive Order (EO) 14028 on “Improving the Nation’s Cybersecurity.” This EO requires the Government to only purchase software that is developed securely, and directs the National Institute of Standards and Technology (NIST) to “issue guidance identifying practices that enhance the security of the software supply chain.” NIST developed this guidance in partnership with the private sector and issued it on February 4, 2022. The NIST guidance, the Secure Software Development Framework (SSDF) and related Software Supply Chain Security Guidance, includes a set of practices that create the foundation for developing secure software.
The EO also directs the Office of Management and Budget (OMB), within 30 days of the issuance of the SSDF, to “take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of this order.” As such, Federal agencies must begin to adopt the SSDF and related guidance effective immediately, tailoring it to the agency’s risk profile and mission. OMB understands vendor attestation of secure software development practices has significant implications for vendors and service providers supporting delivery. As a result, OMB will engage with the private sector on how best to implement this requirement before directing agencies to require an attestation.
OMB intends to seek feedback through a set of structured implementation questions. These questions will be released ahead of a public workshop. The questions and related workshop will be forward looking, focusing exclusively on best practices for implementing the SSDF, and approaches for attesting to secure software development practices. OMB will incorporate feedback as appropriate.