Technology and software stakeholders are questioning how the Office of Management and Budget will address liability as part of its upcoming software self-attestation requirement following the release of a memorandum crafted to clarify certain aspects of the rollout.
The OMB memorandum, issued on Friday, extends the deadline for agencies to begin collecting self-attestation forms, clarifies the scope of what software is included and adds policy conditions for addressing gaps in attestation.
The Cybersecurity and Infrastructure Security Agency put out the common self-attestation form as a draft for public comment in April. The agency is accepting feedback through June 26.
The Information Technology Industry Council praised OMB for extending the deadline, saying the move “provides much needed relief to software producers.”
ITI’s executive vice president of policy, Gordon Bitko, called the extension “an important step towards ensuring a consistent rollout process across the federal government.” In a statement, he said “We also appreciate the additional guidance on the clarification of scope around third-party software components.”
“At the same time, we urge OMB to address ongoing concerns regarding liability and issue a confirming statement that helps protect signatories. We strongly encourage OMB to keep up its public engagements so that software product security teams can learn how to meet the government’s expectations, raise outstanding questions, and share best practices,” Bitko said.
The new memo extends the deadline for agencies to begin collecting the self-attestation forms until CISA finalizes the common form. It provides a three-month extension for critical software and six months for non-critical software.
The memo is an update to a September 2022 OMB memorandum on securing the software supply chain by making improvements to development practices. OMB and NIST on June 1 held a workshop to provide an update on the original 2022 memorandum and the self-attestation form and answer questions from stakeholders.
BSA-The Software Alliance Director of Policy Henry Young said the group “welcomes the decision by OMB to take the extra time necessary to calibrate its efforts to gauge the security of critical software systems. BSA has been advocating for years for technology-neutral policies that help to incentivize the strength of the broader cybersecurity ecosystem.”
In a statement, Young said, “As OMB works across government to set a consistent method for attesting to software security, the federal government should pursue policies that help to unify the government’s approach to software security and ensure that companies that use best practices to develop and maintain secure software are able to obtain safe harbor from liability.”
“This is consistent with recommendations in the administration’s National Cybersecurity Strategy, and represents a shared priority for makers of enterprise software,” Young said. -- Sara Friedman (sfriedman@iwpnews.com)