The Office of Management and Budget and CISA are working together to create a common form that will allow software producers to self-attest their compliance with NIST’s secure software framework across multiple agencies.
The form is a follow-on from the 2021 cyber executive order and OMB’s 2022 memorandum setting up a self-attestation security policy for software purchased by federal agencies using the NIST Secure Software Development Framework.
The common attestation form required by the OMB memo will provide “clarity,” Federal CISO Chris DeRusha said Thursday at a NIST advisory board meeting. The draft form will be published in the Federal Register under a 60-day public comment period.
Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director
“The Secure Software Development Framework is a fantastic framework but when a company is going to attest specifically to the practices, we all have feeling it needs to be more specific about what those are, instructions, how to submit artifacts and how to treat SBOMs,” DeRusha told reporters following his talk at the Information Security and Privacy Advisory Board meeting.
During his presentation, he said agencies will still be able to conduct second and third party assessments “to ensure the framework has been followed … but OMB is currently not directing it.” DeRusha compared the new software policy to the Pentagon’s Cybersecurity Maturity Model Certification program which relies on third party attestation and has faced delays.
DeRusha said, “If you look at the lessons learned from CMMC, it’s taken quite a bit of time, effort and resources to develop an accredited third-party attestation training [function]. No matter the program, you need to have for the ecosystem to function.”
OMB recognizes that self-attestation has “some limitations,” DeRusha said, while also arguing that the policy is “pretty binding” and companies will take it seriously. He said CISA worked with the IT Sector Coordinating Council to socialize the common form and “got some fantastic feedback from that process.”
The ISPAB meeting on Wednesday also featured talks from NIST Information Technology Laboratory Acting Director Jim St. Pierre and Office of the National Cyber Director’s Drenan Dudley. NIST’s Victoria Pillitteri presented on the risk management framework.
OMB and CISA will ingest the feedback received on the draft form and put out a final form in the Federal Register with a 30-day comment period. DeRusha said the policy will offer waivers and extensions when needed.
OMB is also working on a rulemaking to make changes to the Federal Acquisition Regulation on securing software based on section four of the cyber EO. DeRusha said the self-attestation process will inform the rule.
DeRusha talked more broadly about the government’s work to implement mandates from the cyber EO on zero trust, multifactor authentication, logging and encryption at rest and in transit.
All of the work stems out of OMB’s zero trust strategy, DeRusha said, establishing milestones that agencies need to meet. Agencies were required to submit budget proposals to OMB and the ONCD to implement zero trust under the strategy for fiscal 2024.
DeRusha said OMB is also using lessons from other agencies that are implementing zero trust like the National Security Agency and DOD zero trust portfolio management office. Cyber requirements in the EO only apply to civilian agencies.
When it comes to metrics, DeRusha said one example is tracking compliance with fulfilling a CISA binding operational directive requiring agencies to remediate vulnerabilities in CISA’s Common Vulnerabilities and Exposures (CVE) catalog. -- Sara Friedman (sfriedman@iwpnews.com)