White House Issues New Memo to Secure Supply Chain
OMB’s new supply chain memo calls on agencies to utilize software that has been built following common cybersecurity practices.
The Office of Management and Budget (OMB) issued a memo on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices Wednesday. The directive calls for agencies to use software built with common cybersecurity practices.
“With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries,” Federal CISO and Deputy National Cyber Director Chris DeRusha said in a briefing.
The memo was issued under President Biden’s May 2021 cybersecurity executive order that aims to identify, deter, protect against, detect and respond to cybersecurity threats.
The rule will require federal agencies to use a standardized self-attestation form consistent with the National Institute of Standards and Technology (NIST) Software Supply Chain Security Guidance before using a vendor’s software. Agencies must use the form for all third-party software, including software renewals and major version changes.
“By strengthening our software supply chain through secure software development practices, we are building on the Biden-Harris Administration’s efforts to modernize agency cybersecurity practices, including our federal zero trust strategy, improving our detection and response to threats, and our ability to quickly investigate and recover from cyberattacks,” DeRusha added.
The memo also set new deadlines for federal agencies.
- Within 90 days, agencies must inventory all software and create a separate inventory for “critical software.”
- Within 120 days, agencies must develop a consistent process for communicating relevant requirements and collect letters of attestation from software providers.
- Within 180 days, agency CIOs must assess organizational training needs and develop training plans for the review and validation of attestation.
OMB has called on the Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) to help develop requirements for a central repository for software attestations and artifacts.
“Within 1 year from OMB’s establishment of requirements, CISA, in consultation with GSA and OMB, will establish a program plan for a government-wide repository for software attestations and artifacts with appropriate mechanisms for information protection and sharing among federal agencies,” the memo said.
DeRusha noted that guidance will enable OMB to build trust and transparency across the digital infrastructure and will allow the agency to fulfill its commitment to protect national and economic security.
“[The memo] is part of a larger enterprise cybersecurity and information technology (IT) modernization plan that ensures we can deliver a simple, seamless and secure customer experience,” DeRusha said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Facing Evolving Cybersecurity Challenges
Hear from federal cybersecurity experts discuss strategies for staying informed about the latest threats, tools and policies.
30m watch -
DHS Tabs Cyber and AI as Innovation R&D Priorities
The agency’s plan utilizes AI to better address future threats, secure critical infrastructure and improve workforce efficiency.
5m read -
The Opportunities and Challenges of Securing the 2024 Election
The 2024 presidential election is just under 50 days away, and federal agencies are reassuring voters’ concerns about election security.
4m read -
Congress Prioritizes AI, Modernization in Defense Funding Bill
Drafts of the National Defense Authorization Act include provisions on emerging technology, AI governance and zero trust.
5m read