The Office of Management and Budget’s decision to require self-attestation from companies against NIST secure software standards is the right approach to start raising the bar for federal procurement practices, according to stakeholders, who say requirements will evolve over time.
The policy is laid out in a recent OMB memorandum that sets requirements for procurement at the agency level using NIST’s Secure Software Development Framework and guidance on how to use the publication from a software purchaser viewpoint. The memo fulfills a requirement from President Biden’s 2021 cyber executive order to secure federal networks.
Contracting attorney Robert Metzger said the memo is a “good start” on a “very complex subject,” adding that “it is best to take measures in increments rather than over-reach.”
“The OMB memo, as well as EO 14028, communicate clearly that software producers will be held to higher levels of assurance. The OMB memo sets a timetable which, while aggressive, plainly signals to agencies and the private sector that they should start now to prepare for higher demands of software assurance,” Metzger said.
The self-attestation policy stands in direct contrast to the Defense Department’s work to stand up a cyber certification program using third party assessment organizations. The DOD program is focused on the handling of sensitive federal data on contractor networks and is based on NIST Special Publication 800-171.
“Our experience has shown us if you try to put the self-attestation in place, it doesn’t necessarily get the results that you want,” CMMC director Stacy Bostjanick said at a NIST workshop in March. Having another entity check compliance has “seemingly” made defense contractors pay more attention to their own security practices, she said.
NIST held the workshop on behalf of OMB to hear from stakeholders on how the government should implement the SSDF.
Metzger told Inside Cybersecurity, “The memo could be criticized for not establishing any method to verify or validate, and there are no evident means to ‘enforce’ the memo by sanctions against or exclusion of providers who do not attest to following the NIST software guidance. Eventually, these mechanisms will be needed, but not yet.”
Metzger said, “I oppose attempting to replicate or mimic CMMC to assess whether providers act as they attest. The present standards are not sufficiently detailed, and time is needed to understand better the commercial tools available and which industry best practices should be employed.”
“Software is performance-determinative of many federal systems, civilian and military. It is vital that we secure the software supply chain. But getting ahead of what we know, and the experience we have, could do much more harm than good,” Metzger said.
Georgianna Shea of the Foundation for Defense of Democracies said the intent behind the OMB memo is “great” but there needs to be “metrics and measures” that are flexible to help with implementation.
There are lessons learned from the rollout of CMMC that could be applied to implementation of the OMB memo, Shea said, such as figuring the plan to “provide detailed guidance and specific metrics” to agencies and contractors.
OMB should also think about small and medium size businesses, Shea said, and “how they are going to be able to meet the requirements if they have to bring in new tools and systems.”
If there will be a mandatory third party assessment process, there needs to be a discussion on how companies will pay for it, Shea said, which needs to be a “schedule and resources.”
Shea said, “You can take all of the lessons learned and apply it to this memo as it moves forward and help mitigate some of those hiccups before they encounter the exact same issues.”
Shea is chief technologist for FDD’s Center on Cyber and Technology Innovation. She previously worked as chief engineer of MITRE Corporation’s Defense Acquisition and Policy Department and served as an adviser to the Office of the Under Secretary of Defense, Research and Engineering (OUSD R&E) Developmental Test Evaluation and Assessment (DTE&A).
At FDD, Shea wrote a report on Software Bill of Materials, a topic brought up in the OMB memo as one way companies can provide artifacts for self-attestation. The report proposes a “phased approach” to requiring federal contractors to provide an SBOM and recommends putting out additional guidance on expectations for industry.
Metzger commented, “Before CMMC, studies like the MITRE ‘Deliver Uncompromised’ Report concluded that self-attestation was not working for contractor cyber protection measures. We don’t have comparable experience or evidence yet.”
“We also need to differentiate among software users, uses and consequences of identified weaknesses. OMB already allows agencies to ask for third party assessments. For the present time, agencies should ask selectively and not make third-party assessment the general rule. The availability and sufficiency of organizations trained to assess software development is another consideration,” Metzger said.
Metzger is a co-author of “Deliver Uncompromised,” and co-chair of law firm Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group.
On SBOM, Metzger said he is disappointed that the memo gave “scant attention” to the subject. He added, “I believe SBOMs are exceptionally valuable and already can serve an important ‘forcing function’ to make software developers know more about the build process, provenance, and pedigree of their software components. This reduces risk to software buyers and consumers, even if they do not use the SBOM for forensics.”
Henry Young of BSA-The Software Alliance weighed in on how his industry has been making significant investments in security without significant government intervention.
“The memo provides adequate security measures. Companies take self-attestations very seriously and no company wants to sign an inaccurate document. In limited circumstances, a third-party certification may make sense, but for the vast majority of software, an attestation should be sufficient,” Young said.
BSA is concerned about how agencies could implement the NIST guidance on secure software development processes differently. “Both the US Government and software vendors would be well served by a standardized way to attest to complying with the practices described in the NIST Guidance,” Young said.
Young said, “I am concerned that OMB will move to third-party certification as a baseline, rather than taking a risk-based approach. In some contexts, third-party certification might be warranted but for most agencies those contexts are the exceptions and not the rule.”
He added, “If OMB implements self-attestation on an agency-by-agency basis, it will have missed an opportunity to standardize cybersecurity requirements. To improve cybersecurity, agencies should select vendors based on the security of the products and services they offer, not on which vendor has spent the most on compliance teams to navigate each agency’s unique requirements.” -- Sara Friedman (email@example.com)