White House Issues New Memo to Secure Supply Chain
OMB’s new supply chain memo calls on agencies to utilize software that has been built following common cybersecurity practices.
The Office of Management and Budget (OMB) issued a memo on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices Wednesday. The directive calls for agencies to use software built with common cybersecurity practices.
“With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries,” Federal CISO and Deputy National Cyber Director Chris DeRusha said in a briefing.
The memo was issued under President Biden’s May 2021 cybersecurity executive order that aims to identify, deter, protect against, detect and respond to cybersecurity threats.
The rule will require federal agencies to use a standardized self-attestation form consistent with the National Institute of Standards and Technology (NIST) Software Supply Chain Security Guidance before using a vendor’s software. Agencies must use the form for all third-party software, including software renewals and major version changes.
“By strengthening our software supply chain through secure software development practices, we are building on the Biden-Harris Administration’s efforts to modernize agency cybersecurity practices, including our federal zero trust strategy, improving our detection and response to threats, and our ability to quickly investigate and recover from cyberattacks,” DeRusha added.
The memo also set new deadlines for federal agencies.
- Within 90 days, agencies must inventory all software and create a separate inventory for “critical software.”
- Within 120 days, agencies must develop a consistent process for communicating relevant requirements and collect letters of attestation from software providers.
- Within 180 days, agency CIOs must assess organizational training needs and develop training plans for the review and validation of attestation.
OMB has called on the Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) to help develop requirements for a central repository for software attestations and artifacts.
“Within 1 year from OMB’s establishment of requirements, CISA, in consultation with GSA and OMB, will establish a program plan for a government-wide repository for software attestations and artifacts with appropriate mechanisms for information protection and sharing among federal agencies,” the memo said.
DeRusha noted that guidance will enable OMB to build trust and transparency across the digital infrastructure and will allow the agency to fulfill its commitment to protect national and economic security.
“[The memo] is part of a larger enterprise cybersecurity and information technology (IT) modernization plan that ensures we can deliver a simple, seamless and secure customer experience,” DeRusha said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Trump's DHS Secretary Pick Prioritizes Tech to Boost Security
South Dakota Governor Kristi Noem has prioritized advancements in cyber, quantum and biometrics to enhance state and national security.
7m read -
HUD’s New CIO Focuses on AI, Zero Trust
HUD's new CIO Sairah Ijaz is focusing on implementing artificial intelligence and zero trust to mature and secure the agency's IT framework.
4m read -
CMS Cyber Integration Center Leverages PenTesting to Protect Patient Data
Testing efforts help better identify vulnerabilities, coordinate incident response and mitigate risks.
15m listen -
DOD Cyber Crime Center Appoints New Executive Director
Lesley Bernys previously served as CIO at the Air Force Office of Special Investigations.
2m read